It is perfectly possible to “hack” a car while it is driving on the road, seize control, and force the vehicle into a fatal crash, says a car security specialist, speaking to Network World.
Security researchers have demonstrated such hacks using wired systems or short-range wireless such as Bluetooth, but Toucan Systems claims that attacks can be conducted from half the world away, from a computer at a desk.
Jonathan Brossard, quoted by the Sydney Morning Herald, “does not know of a car that has been hacked on the road but says his company does it for vehicle manufacturers in Europe.”
”The vehicle is remote from me. I am sitting at the desk and I am using the computer and driving your car from another country. I am saying it is possible. A car is, technically speaking, very much like a cell phone and that makes it vulnerable to attack from the internet. An attack is not unlikely.”
A report by CNN Money describes the security of “connected” cars as simply behind the times. CNN describes the 50 to 100 computers controlling steering, acceleration and brakes in the typical automobile as “really dumb” – and says “there’s a danger to turning your car into a smartphone on wheels”.
“Auto manufacturers are not up to speed,” said Ed Adams, a researcher at Security Innovation, speaking to CNN Money. “They’re just behind the times. Car software is not built to the same standards as, say, a bank application. Or software coming out of Microsoft.”
The report claims that the next generation of cars from both Audi and Tesla will be wirelessly connected to the internet via AT&T – and thus much more vulnerable.
Writing about a demo at the Blackhat conference in Las Vegas last year, ESET malware researcher Cameron Camp said, “Traditionally, cars have had rudimentary computing systems, implemented to carry out fixed tasks like measuring fuel for injection, making your transmission shift more smoothly under gentle acceleration or to improve gas mileage – things like that.
But with some manufacturers hoping to roll out location-aware browser-based or embedded information systems, can scams be far behind?”
The CNN Money report compared the 145,000 lines of computer code used in the spaceship that put men on the moon, Apollo 11, with the average modern automobile, which has 100 million.
Last year, Senator Edward J Markey, Democrat, Massachussets, pointed out in a publicly available letter to 20 auto manufacturers that average cars now have up to 50 electronic control units, often controlled by a car “network, and that manufacturers had a duty to protect consumers against hackers.
The open letter has ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.
Hacks against cars have been demonstrated before – but thus far, have relied on attackers having physical access to the vehicles. At the DefCon conference this year, two researchers showed how they could seize control of two car models from Toyota and Ford by plugging a laptop into a port usually used for diagnostics, as reported by We Live Security here.
So far, though, attacks where vehicles are “taken over” wirelessly have not been widely demonstrated.
“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” said Charlie Miller, one of the ‘car hackers’ at Defcon. “We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”
“As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy could be compromised,” Senator Markey wrote. “These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation’s drivers.
Markey argues that car companies should use third parties to test for wireless vulnerabilities, and should assess risks related to technologies purchased from other manufacturers.
A report by CNBC earlier this year described some of these threats in detail, describing car-hacking as “the new global cybercrime.”
Author Rob Waugh, We Live Security