Hacking is about to get more dangerous.
In recent years, a string of high-profile attacks on companies like Target and Sony Pictures has highlighted the importance of computer security. But almost all of the recent attacks have had one upside: they didn’t kill anyone. Indeed, most hacks haven’t done any physical damage at all.
But that could soon change. The recent Consumer Electronic Show was full of car companies promoting plans to build ever more sophisticated computers into automobiles. Cars are going to have sophisticated navigation and entertainment systems, they’ll integrate better with our smartphones, and they’ll have better and better self-driving capabilities.
That will make our cars more convenient, efficient, and safer. But it’s also going to make it easier for tech-savvy troublemakers to cause serious harm — or even car crashes.
Cars are increasingly becoming computer networks on wheels
Modern-day automobiles already contain dozens of computer systems that handle a wide variety of functions, from playing music to deciding when to deploy the airbags. These computers often need to communicate with each other — for example, data from the speedometer and braking systems can help decide whether to lock the seat belts in anticipation of a crash — so they’re frequently linked together on shared networks.
Until recently, this didn’t create much of a hacking risk because attackers could only access the car’s internal network if they had physical access to the car. (And of course, someone with physical access can already do damage by slashing tires or cutting brake lines.)
But cars are becoming more connected — and therefore more vulnerable — to the outside world. In 2011, researchers at the University of California at Santa Barbara and the University of Washington conducted an in-depth study of a particular late-model vehicle (they didn’t say which one). They found it was alarmingly vulnerable to external attack.
In one attack, they created a malicious music file that, if played on the car’s stereo, would let the hackers gain control of the car’s computer systems. In another, they demonstrated that they could hack into the diagnostic equipment used by auto mechanics using its wifi connection, and from there install malicious software onto vehicles being serviced
Perhaps the most alarming vulnerability was in the car’s emergency-assistance system, which uses a cellular network to communicate with emergency response personnel in the event of a crash. The UCSB and UW researchers found that hackers could call the phone number associated with this system’s wireless connection and play a series of tones to activate the car’s modem and then hack into the vehicle.
Once hackers gain control over a car using any of these methods, they can do a lot of damage. They can activate the vehicle’s internal microphone and eavesdrop on conversations that take place inside. They can unlock the doors and disable the vehicle’s security mechanisms, making car theft easy.
Worst of all, attackers could cause the car to crash. A couple of years ago, for example, security researchers Charlie Miller and Chris Valesek demonstrated the ability to use the internal network of a Ford Escape to disable the brakes. They were also able to violently jerk the steering wheel of a Toyota Prius. If an attacker did these things while someone was driving down the highway, it could get people killed.
It’s still very hard to hack today’s cars
So why haven’t we seen hackers send cars careening off the road yet? A big reason is that, for the time being, cars are still very different from computers or smartphones — and attacks need to be highly focused in order to succeed. That won’t always be the case.
Because modern PCs and smartphones run a handful of standard operating systems — Windows, Android, iOS — a single piece of malware can compromise millions of devices. Up until now, cars have been different. The various computers inside a car each run custom software that may not be the same from model to model and from year to year. So to attack a particular vehicle, you have to know a lot about the specific software it’s running and what vulnerabilities it has. Thus far, only a handful of academic researchers have had the talent and resources necessary to develop working car hacks.
What’s more, hacking PCs and smartphones is relatively easy because they’re constantly connected to the internet. Hackers can create malware that spreads from one online machine to the next or scan random internet addresses looking for vulnerable computers. This kind of attack wouldn’t work for today’s cars. To hack their car via the cellular network, those UCSB and UW researchers had to know the specific phone number to call. It would be hopelessly inefficient for a hacker to call phone numbers at random until she reached a vulnerable vehicle.
But cars will be far more hackable in the future
But that’s all likely to change — and the next generation of cars will be even more vulnerable. Chevy, for example, is adding LTE wireless capabilities and an app store to its vehicles. BMW is adding wifi capabilities to its cars, which will feature a dashboard web browser. In short, cars are going to start looking more like conventional computers, which means they’ll become more vulnerable to conventional attacks.
In the next year or two, most car manufacturers are going to support Android Audio and Apple’s Carplay — standards that allow smartphones to control a car’s dashboard touchscreen display. These interfaces could provide another potential route for hacking: first compromise vitims’ phones (for example, by uploading malicious software to Google’s app store), then have the phones compromise their cars.
These problems will get even worse as cars gain more sophisticated self-driving capabilities. Cars are going to need ways to download software upgrades, get updated maps, and look up information and road closures. Allowing cars to download all of that data without putting them at risk from hackers is going to be a challenging security problem.
We need a culture change at auto companies
None of these problems are insurmountable. Software companies have been grappling with internet security threats for nearly two decades, and they’ve gotten pretty good at it.
But there are a couple of big obstacles. One is getting car companies to take security seriously. Safety has long been a major concern for the auto industry, but they’ve traditionally focused on problems caused by faulty components or driver error, not cyberattacks.
“Traditionally automobiles have not been network-connected and thus manufacturers have not had to anticipate the actions of an external adversary,” the UCSB and UW security researchers wrote in their 2011 paper.
A comprehensive security audit of a car’s software needs to become a standard part of a vehicle’s safety testing process. Just as automakers conduct crash tests and see how crash dummies fare, so car companies should hire “red teams” to attempt to hack into cars in order to discover vulnerabilities.
This will also require cultural and organizational changes inside of car companies. An important part of any computer security audit is to examine software’s source code looking for programming mistakes that could cause vulnerabilities. But in many cases, car companies don’t even have the source code for all of the computing devices in their vehicles. Their suppliers consider this proprietary information and guard it closely.
That will have to change. Many of the vulnerabilities the UCSB and UW researchers discovered occurred because the creators of different computing systems inside the car made different security assumptions about how the software would fit together. Catching these kinds of problems will require a comprehensive view into the vehicle that only the automaker itself can have. So car companies will need to push their suppliers to share their source code and cooperate with security audits.
“Manufacturers have definitely taken the issue seriously, as well as the Society for Automotive Engineers, and the National Highway Traffic Safety Administration,” says Stephen Checkoway. He was the lead author of that 2011 car-hacking study while he was a grad student at UCSB. He’s now a computer science professor at Johns Hopkins University. “They’ve all reacted in what I can only characterize as the most positive way possible.”
Both the SAE and NHTSA have begun producing new standards and guidelines for guarding cars against online security threats. And some car companies have begun to make the issue a priority as well. General Motors, for example, recently hired its first Chief Product Cybersecurity Officer.
A big problem, according car security researcher Chris Valasek, is a lack of transparency. Software companies like Microsoft and Twitter are highly engaged with the computer security community. That’s not as true in the automotive industry. “Unless you purchase a car and tear it down, you don’t really know what’s there to protect you,” Valasek says. Unfortunately, “it’s really expensive to get started. Cars and their parts and tools are costly.” So few researchers have the necessary resources.
In the long run, it will be in the interest of car companies to encourage security experts to tear apart their vehicles and find the vulnerabilities. Because if the good guys don’t do it, the bad guys will. And that will be much worse for the car companies — in the worst case, it could even cost some customers their lives.