Watch how car hackers can disable brakes and steal your personal data

When US TV correspondent Leslie Stahl drove her car around a deserted parking lot the other day, she was in for a big surprise.

First the car’s windscreen wipers and wiper fluid kicked into action, obscuring her sight. Then the car’s horn honked loudly and incessantly. Finally, as she drove up to a line of traffic cones she found the car would no longer brake and it smashed straight through them. Even slamming on the brake pedal, failed to stop the car.

The reason? Her car was under the remote control of Dan Kaufman, a researcher at the United States’ military’s Defense Advanced Research Projects Agency (DARPA), who has spent five years exploring how to hack into cars as part of a project run by its Information Innovation Office.

According to the report, all that the researcher used was a laptop that bombarded the car with commands, creating a brainstorm that allowed a potential attacker to take complete control of the car while it was on the road.

The dramatic demonstration was well-timed, as Massachusetts Senator Ed Markey has just released a report, entitled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk”, that claims that many modern cars are endangering lives by exposing drivers to hacking attacks that could cause vehicles to be hijacked and crashed, and the personal information of drivers to be stolen.

Senator Markey’s report quizzed 16 major automobile manufacturers about what they were doing to better ensure the safety and privacy of drivers.

In all, 16 major automobile manufacturers answered Markey’s questions: BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen (with Audi), and Volvo.

Letters sent to Aston Martin, Lamborghini, and Tesla went unanswered.

As Senator Markey puts it, in a cute soundbite, “no longer do you need a crowbar in order to break into a car, now you can do it with an iPad.”

It’s not as though these safety problems weren’t already warned about. In mid-2013, security researchers Charlie Miller and Chris Valasek showed how they could mess around
with vehicle’s electronic systems
including those related to braking and steering.

What seems to have upset Senator Markey is that in the 18 months since Miller and Valasek demonstrated the weaknesses, the automobile industry has failed to take the issue seriously.

Charlie Miller, one of the researchers who demonstrated how hackers could hijack cars back in 2013, told Ars Technica that manufacturers either needed to do more, or federal government should start demanding it:

“Chris and I showed a year or two ago how a very simple system can prevent every attack anyone has ever come up with. I’d love to see manufacturers begin to adopt this type of technology or for the government to require it.”

And it’s not just a safety issue, computer systems embedded by the automobile industry are collecting and storing data about any journeys that are made.

Report into car hackingHere are the key findings of Senator Ed Markey’s newly-released report:

  1. Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
  2. Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
  3. Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.
  4. Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.
  5. Automobile manufacturers collect large amounts of data on driving history and vehicle performance.
  6. A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.
  7. Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.
  8. Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.

Car safety is one of the key areas of concern for the so-called “Internet of Things”. We have to accept that we’re now sitting in a computer which is driving down our highways, not just dumb automobiles. If cars can be hacked, then it’s not just our data that can be lost – our lives might be at risk as well.

For further information, check out the full report.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.