As wireless technologies and electronic controls are increasingly built into cars, vehicles could become vulnerable to hackers – either stealing information, or injecting malware, a U.S. Senator warned in a letter to 20 major auto manufacturers.
The letter has reignited the debate over the cybersecurity of cars, as vehciles become more heavily computerised.
Senator Edward J Markey, Democrat, Massachussets, pointed out in his publicly available letter that average cars now have up to 50 electronic control units, often controlled by a car “network”.
The open letter has ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.
Hacks against cars have been demonstrated before – but thus far, have relied on attackers having physical access to the vehicles. At the DefCon conference this year, two researchers showed how they could seize control of two car models from Toyota and Ford by plugging a laptop into a port usually used for diagnostics, as reported by We Live Security here.
So far, though, attacks where vehicles are “taken over” wirelessly have not been widely demonstrated.
“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” said Charlie Miller, one of the ‘car hackers’ at Defcon. “We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”
“As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy could be compromised,” Senator Markey wrote. “These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation’s drivers.
Markey argues that car companies should use third parties to test for wireless vulnerabilities, and should assess risks related to technologies purchased from other manufacturers.
A report by CNBC earlier this year described some of these threats in detail, describing car-hacking as “the new global cybercrime.”
ESET’s Cameron Camp discusses the prospect of car malware, car-hacking and AV software in an earlier blog post here. Camp discusses the practicalities oof various attacks – and says, “The thought of automotive-based ransomware is very scary indeed – whether or not it could disable your car or simply purport to, it’s still unnerving.”
Author Rob Waugh, We Live Security