Will car-hacking be the “next global cybercrime”? Senator’s letter inspires debate

As wireless technologies and electronic controls are increasingly built into cars, vehicles could become vulnerable to hackers – either stealing information, or injecting malware, a U.S. Senator warned in a letter to 20 major auto manufacturers.

The letter has reignited the debate over the cybersecurity of cars, as vehciles become more heavily computerised.

Senator Edward J Markey, Democrat, Massachussets, pointed out in his publicly available letter that average cars now have up to 50 electronic control units, often controlled by a car “network”.

The open letter has ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.

Hacks against cars have been demonstrated before – but thus far, have relied on attackers having physical access to the vehicles. At the DefCon conference this year, two researchers showed how they could seize control of two car models from Toyota and Ford by plugging a laptop into a port usually used for diagnostics, as reported by We Live Security here.

So far, though, attacks where vehicles are “taken over” wirelessly have not been widely demonstrated.

“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” said Charlie Miller, one of the ‘car hackers’ at Defcon. “We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”

“As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code, and more avenues through which a driver’s basic right to privacy could be compromised,” Senator Markey wrote. “These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation’s drivers.

Markey argues that car companies should use third parties to test for wireless vulnerabilities, and should assess risks related to technologies purchased from other manufacturers.

A report by CNBC earlier this year described some of these threats in detail, describing car-hacking as “the new global cybercrime.”

ESET’s Cameron Camp discusses the prospect of car malware, car-hacking and AV software in an earlier blog post here. Camp discusses the practicalities oof various attacks – and says, “The thought of automotive-based ransomware is very scary indeed – whether or not it could disable your car or simply purport to, it’s still unnerving.”

Author , We Live Security

  • AUTOcyb™

    When you purchase a vehicle, you own more than just the vehicle, you own the information that you vehicle generates and stores. Since you cannot turn-off, delete or omit your vehicle event data recorder (EDR) / BLACK BOX data the best solution would be to secure access to the vehicle’s network interface port located under the steering column. See the DRIVING FREEDOM campaign at indiegogo.com at http://igg.me/at/carblackbox

    • I’m not sure the question of data ownership is that clear-cut. And what about vehicles with a wireless interface?

      • AUTOcyb™

        Good point, but you should know that 14 State EDR statues claim the vehicle owner owns the data, as does the NHTSA in federal regulation. The issue will soon receive additional clarification as Congress addresses the topic. There is a Driver Privacy Bill pending submission in the U.S. Senate. Your other issue, wireless, is being addressed by Senator Markey who requested feedback from 20 of the world’s biggest automakers. The outcome of all this is important for all. Privacy and security are still the biggest obstacles to a true automotive revolution.

        • Interesting. Not being an American, I’m actually thinking a little more globally, which is where Rob’s article started off. I’m not aware of any significant consideration of EDR issues in Europe as yet, but there are significant cultural and attitudinal differences as regards privacy between European nations, let alone between Europe and the US. As for wired and wireless, it will be interesting to see what data crawl out of the fascia. Certainly there have been security concerns about the potential for wireless mischief in this context for quite a while now.

Follow us

Copyright © 2017 ESET, All Rights Reserved.