The Newest Frontier for Hackers: Your Car
As computer technology increasingly controls critical vehicle safety features and more cars are connected to the internet, the danger of a hacker taking control of vehicles is becoming less like a Hollywood movie plot and more like something that can actually happen.
Wily cybercriminals have already proven their ability to breach government, military, corporate and individual cybersecurity walls. They’ve stolen personal information, medical records, financial data, military secrets and other data with near impunity.
The newest frontier for hackers bent on mischief? Your car.
“These are super complicated high-speed networks on wheels,” said Vance Saunders, director of Wright State University’s cybersecurity program. “I don’t have to unlock your car. Because your car is just a mobile network.”
RELATED: Hacking risk is what worries Americans most about driverless vehicles
Using the internet and one of the multiple points of access into your vehicle’s computer systems, researchers have already demonstrated that they can take control from miles away. A growing number of computer-equipped, internet-connected smart cars are on the road, and automakers are testing fully autonomous vehicles that have even more high-tech controls that allow the car to do the driving for you.
Part of the research involved in developing a smarter car is developing a more secure car.
“The point is that suddenly we are exposed to major-scale attacks that can happen to us. And those attacks can result in fatalities,” said David Barzilai, chairman and co-founder of Karamba Security, a start-up vehicle cybersecurity company based in Israel.
In addition to whatever mayhem could occur on the roadway, your car has also become yet another way for your personal information to be stolen. Newer vehicles are now able to collect a startling amount of information about you, including your address and birth date, driving habits, where you travel, your music preferences and soon, credit card information you provide so you can make purchases from inside your car.
“You could probably put together a pretty good intelligence report,” said Seth Hamman, assistant professor of computer science at Cedarville University.
Many newer vehicles are equipped with multiple sensors and Electronic Control Units (ECU), essentially an array of small computers that are connected to each other via a network, that are involved in a variety of vehicle functions.
RELATED: It’s no use honking. The robot at the wheel can’t hear you
The standard one people are most familiar with is the on-board diagnostic computer that mechanics use to diagnose problems. Automakers have also added an assortment of driver assistance technologies, such as automatic emergency braking, lane-keeping assistance and other features to make cars safer and smarter.
ECUs can control safety-critical systems like braking, along with navigation systems, location services, fleet management systems, and entertainment and communication systems. Within the vehicle, the ECUs work together to keep these functions humming along, mostly without the driver even realizing it.
Automakers can send software updates to the vehicle via the internet, vehicle occupants can use an in-car hot spot to surf the web, and connected semi-trucks can drive in “platoons,” following very closely in single file and communicating braking and speed information to each other.
“Today’s cars are connected, and advanced technologies will make the cars much more connected in digital form than now,” Barzilai said.
While that brings “significant benefits of technology and connectivity, at the same time cars are much more vulnerable to cyberattacks,” he said.
The ECUs are designed to communicate with each other, which hackers can exploit, according to Barzilai. If one ECU is penetrated, a hacker could then send commands to the other controllers on the network, he said.
Multiple access points
Hackers can gain access in multiple ways. Vehicles are equipped with embedded internet modems, Wi-Fi routers, Bluetooth modules, USB ports, high-definition radio, the on-board diagnostic port and near-field communications devices that let you unlock or start your car remotely.
In 2015, security researchers Chris Valasek and Charlie Miller showed how the Jeep Cherokee could be remotely hacked, gaining internet access through the entertainment system and then taking control of vehicle steering, brakes and transmission. That hack led Fiat Chrysler Automobiles to recall 1.4 million vehicles to fix the security flaw.
RELATED: Automated driving puts added emphasis on cybersecurity for connected trucks
Security researchers in 2011 took remote control of a car’s brakes using Bluetooth, and more recently researchers took control of the brakes on a moving Tesla from 12 miles away, according to a June New York Times story.
Auto manufacturers encourage these “white-hat” hacks by security experts so vulnerabilities can be fixed. In fact, spokespersons for Tesla and Fiat Chrysler say they participate in a “bug bounty” program that offers rewards to people who find and report cybersecurity vulnerabilities.
“FCA is deploying the latest hardware technologies to protect against cyber intrusions,” said Sandra Hosler, senior manager for global vehicle cybersecurity for Fiat Chrysler Automobiles’ U.S. operations. “But we also improve protection by partnering with others.”
Tesla released a statement saying the company “works closely with the research community to ensure that we continue to protect our systems against vulnerabilities by constantly stress-testing, validating and updating our safeguards.”
Two years ago auto companies formed the Automotive Information Sharing and Analysis Center, a central hub that tracks, analyzes and shares intelligence about cyber threats, vulnerabilities and incidents. That level of cooperation stands out in the notoriously competitive auto industry.
Karamba Security is working with 16 automakers and parts suppliers on improving vehicle cybersecurity, Barzilai said. Karamba’s software is designed to recognize and block hackers before they gain access to the various computerized functions of a vehicle.
He said the company will soon do field trials for the software in France, deploying self-driving cars in a closed area.
Experts say autonomous, or self-driving, cars will become more the norm in future years, presenting new and more complex cybersecurity challenges.
Research at Ohio State University and the Transportation Research Center in East Liberty is showing how to combat intrusions by better authenticating the command received by the vehicle, said C. Emre Koksal, associate professor of electrical and computer engineering at Ohio State.
“We have to address these (cybersecurity) issues before we deploy all these systems. And before we talk about how to rely on all those signals for our safety,” Koksal said.
He said experiments by his researchers show that vehicle security can be enhanced, but he said there may be no cure-all.
“To say that we will absolutely protect everybody from every kind of attack is an insurmountable problem,” Koksal said. “So we are basically narrowing down the set of potential attacks.”
‘You can never prevent hacking’
Resolving cybersecurity issues will be critical to advancing the aut0nomous vehicle industry, said Carla Bailo, assistant vice president of mobility research and business development at Ohio State.
“You can never prevent hacking,” Bailo said, but with robust cybersecurity systems in place the technology would “recognize the hacking symbol and your car can ignore it, or the infrastructure, the traffic signals, will ignore it.”
Barzilai also believes anti-hacking technology can make the cars safe.
“What we’ve found is the complexity is so high, hackers are going to find it so hard to hack they may look for other goals,” Barzilai said. “I don’t know if it is going to be 100% safe, but it is doable. The systems can be hardened in quite an effective way.”
Multiple states have passed laws addressing autonomous car safety and cybersecurity. Congress is looking at increasing rules for autonomous cars and cybersecurity safety with the SELF DRIVE Act, co-sponsored by U.S. Rep. Robert Latta, (R-Bowling Green), which passed in the House and is now being considered by the Senate.
Experts say the auto industry knows it has to get this one right. Otherwise, said Hamman, consumers will lose confidence and they won’t be willing to shell out money for cars outfitted with high technology that puts them at risk.
“In the recent past we would have been willing to go a lot further to get the cool next feature without worrying about the exposure,” Hamman said. “Whereas today I think that line is moving back because of the security issues.”
Vehicle access points for hackers
The opportunity for cyber intrusions is increasing as more vehicle functions are controlled by computer technology and vehicles are connected to the internet. Here are some of the vulnerable access points:
On-board diagnostics: One of the earliest forms of connectivity in vehicles, it allows auto repair shops to diagnose problems and fleet managers to collect information from vehicles.
Bluetooth module: Allows wireless short-range communication and data transmission between electronic devices and enables streaming data and media.
Embedded internet modems: Cellular technology allows the vehicle to be part of a larger network and access digital services such as entertainment, navigation and emergency calls.
Wi-Fi internet routers: Hot spots provide local wireless connectivity and allow multiple devices to connect to the internet.
USB device port: Used to connect electronic devices and computers, charge power devices and play music on car audio systems.
Near-field communication devices: Short-range wireless data transfer technology that does not require an internet connection and is used for auto-paying tolls, car access, engine starts, and personalized settings for components like mirrors and adjustable seats.
High-definition radio: Digital broadcasting that plays music and displays data such as song titles, weather, traffic and emergency alerts.
Distributed by Tribune Content Agency, LLC