Today, a car is no longer just a means to get around – it is a rolling computer network with 80 to 100 microprocessors and 100 million lines of code. Many new cars can be turned on and off with a tap of a smartphone. Others can apply the brakes while a driver is distracted, park themselves and maintain safe distances from surrounding vehicles.
In 2010 and 2011, researchers from the University of Washington and UC San Diego published two studies concerning vulnerabilities of car computers. The first, “Experimental Security Analysis of a Modern Automobile,” that said that modern automobiles are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks and while this has driven major advancements in efficiency and safety, it has introduced a range of new risks.
The second report, “Comprehensive Experimental Analyses of Automotive Attack Surfaces,” showed exactly how a hacker could compromise your car’s internal network without having any physical access to the car.
According to the UW and UCSD study, “there are over 250 million registered passenger automobiles in the United States,” and the “vast majority of these are computer controlled to a significant degree and virtually all new cars are now pervasively computerized,” and, this computerization will only accelerate, for better or worse.
Professors Tadayoshi Kohno and Stefan Savage demonstrated their ability to hack into most everything electronic in a car [under controlled circumstances]. Using a late model sedan available to anyone, they messed with the instrument panel falsifying the fuel level and speedometer reading, jammed the locks, popped the trunk, messed with the radio, turned on the windshield wipers, hacked the A/C system, and disabled the engine and brakes, all while the car was traveling at 40 m.p.h.
Researchers at the University of South Carolina and Rutgers University were able to hack into a tire pressure monitor system using readily available equipment and free software and triggered warning lights and remotely tracked the car through its cars’ diagnostic system.
Unfortunately, there are many paths for carhackers. Just having a diagnostic run on your car can give hackers laptop access to critical systems. If your iPod contains malware and you plug it into your car’s USB port, you could very well give a hacker full access. Nearly all new cars now have two-way cellular capability necessary for such systems as GM’s On-Star that are purposely designed to facilitate access to all-important systems
Experts fear terrorists could launch an attack by breaching security in the software of a particular automaker or, in the years ahead, through the wireless infrastructure being developed to provide information for connected cars. Such concerns are real enough to cause the National Highway Traffic Safety Administration to open up a cyber terrorism department just to keep track of software issues.
As vehicle-to-vehicle and vehicle-to-infrastructure technology develops, cyber threats will continue to be a major concern. Automakers are already investing in cyber security systems to protect their car systems.
Ford, for example, utilizes a “threat modeling methodology” to review potential weak links, has a built-in firewall to separate infotainment and vehicle control systems and uses key cryptography to prohibit updates to its SYNC software unless it receives a unique code that’s verified from Ford.
Will that work? Who knows. At this point your car system is no better protected than your personal computer. Experts are trying to stay ahead of the hackers, and hackers are trying to stay ahead of the obstacles thrown in their path. So far the hackers are winning!
