What Happens When Your Car Gets Hacked?

Connected cars could give cybercriminals a whole new range of targets.

National Journal
Alex Brown
July 23, 2014, 10:41 a.m.

One day soon, your new car will come loaded with apps that can play live base­ball games from across the coun­try or read news art­icles aloud. Buy a Toyota? Apple’s Car­Play will turn it in­to an iPhone on wheels. Opt for a Hy­undai, and you’ll get Google’s An­droid op­er­at­ing sys­tem built in­to the dash­board. And most ma­jor auto­makers are plan­ning to of­fer both.

That’s sure to stir up ex­cite­ment among tech-savvy con­sumers, but it also has hack­ers ima­gin­ing a whole new world of op­por­tun­ity.

“Can some 14-year-old in In­done­sia fig­ure out how to [hack] this and just shut your car down “¦ be­cause everything is now wired up?” asked Sen. Jay Rock­e­feller in a hear­ing last year.

That worry, while sound­ing rather dystop­ic, isn’t ne­ces­sar­ily un­real­ist­ic, said Chris Valasek, who handles se­cur­ity in­tel­li­gence for IO­Act­ive, a se­cur­ity firm. That’s be­cause Valasek, while not a teen­ager from South­east Asia, has taken car-hack­ing to a scary level.

Last year, Valasek and hack­ing part­ner Charlie Miller linked a laptop to the data port of a Ford Es­cape. Sit­ting in the back­seat while a re­port­er drove, they changed the fuel in­dic­at­or level, upped the speedo­met­er read­ing to 199 mph and ac­tiv­ated the horn. Then, mid-drive, they jerked the steer­ing wheel back and forth and de­ac­tiv­ated the vehicle’s brakes (an earli­er test sent Miller in­to the back wall of his gar­age).

If that sounds fright­en­ing, Valasek says, it’s time to ima­gine the pos­sib­il­ity that to­mor­row’s hack­ers won’t need a plug-in cable — and they could do more than give their vic­tims a little scare. “There’s a lot of wire­less com­mu­nic­a­tions in the car, and I as­sume con­nec­ted vehicles will add more wire­less com­mu­nic­a­tions,” he said. “The more ways to wire­lessly com­mu­nic­ate with something, the more at­tack sur­face there is. Ad­ded com­plex­ity many times gives an at­tack­er more ways to at­tempt to get in­to a vehicle.”

At­tack sur­face is an­oth­er way of de­scrib­ing the wire­less entry points to a vehicle. Cars can use cel­lu­lar net­works to place calls or re­ceive nav­ig­a­tion. They use Wi-Fi to con­nect devices in the vehicle to the In­ter­net. They link to phones with Bluetooth. Even their tires can send wire­less sig­nals to in­dic­ate low pres­sure.

Today’s cars have up­ward of 100 mi­cro­pro­cessors to sort this data and send sig­nals throughout the vehicle. The prob­lem comes when one of these sig­nals is breached. A com­puter, by con­trast, has safe­guards to pro­tect sys­tems like disk stor­age if an­oth­er area, such as a Web browser, is hacked. This is known as pre­vent­ing “lat­er­al move­ment.”

“Cars aren’t really there yet,” Valasek said. “Many auto­mo­biles don’t have a layered ap­proach to se­cur­ity right now. They just as­sume some­body can’t break in.”¦ You want to se­greg­ate por­tions.”

And while the in­tern­al work­ings of today’s cars lack pro­tec­tion, the soft­ware of to­mor­row’s vehicles will add an­oth­er chal­lenge. With An­droid and Car­Play on the ho­ri­zon — and most auto­makers on board — a whole gen­er­a­tion of cars will soon hit the road en masse with vir­tu­ally identic­al op­er­at­ing sys­tems.

“The new op­er­at­ing sys­tems will make the mar­ket less het­ero­gen­eous, which po­ten­tially is more dan­ger­ous,” said Vi­cente Diaz, a se­cur­ity re­search­er at Kasper­sky Lab. “At­tack­ers will be more fa­mil­i­ar with these sys­tems.”

Of course, hack­ers have already had years to prac­tice break­ing in­to those sys­tems on mo­bile devices. “People have been hack­ing those op­er­at­ing sys­tems for a long time,” Valasek said. “It may give them a more fa­mil­i­ar meth­od to get in.”

An­oth­er is­sue, Diaz warned, is that while phones tend to get re­placed every few years, the longer lifespan of a car could make it in­creas­ingly vul­ner­able as time goes on.

Without fur­ther test­ing, it’s hard to say just what a cy­ber­crim­in­al could do with a giv­en hack. No one knows how hard it would be to wire­lessly rep­lic­ate Valasek’s com­plete con­trol of a car — or how many vehicles will suf­fer that vul­ner­ab­il­ity.

But oth­er con­cerns could give car buy­ers pause. Hack­ers could steal a driver’s loc­a­tion data or use Bluetooth to ac­tiv­ate a phone’s mi­cro­phone and eaves­drop. Some re­mote un­lock ap­plic­a­tions could even let hack­ers gain entry to a vehicle.

These vi­ol­a­tions won’t ne­ces­sar­ily hap­pen be­cause a hack­er tar­gets a spe­cif­ic car. In most cases, hack­ers will gain ac­cess to a user’s on­line pro­file first, then wait for it to get linked to a vehicle. “[If] the app in your phone or your Web portal cre­den­tials get hacked, an at­tack­er will have ac­cess to the data of your car,” Diaz said. “They could see all the de­tails of your car, even its loc­a­tion, and in some cases be able to un­lock the doors. All this may start with a simple phish­ing mes­sage, so con­sumers should be aware of what this new eco­sys­tem rep­res­ents and the con­sequences.”

Auto­makers say they take such threats ser­i­ously and are work­ing to pre­vent them, though some point out that no one has suc­cess­fully pulled off a real-world wire­less hack. But that doesn’t mean it can’t or won’t hap­pen, se­cur­ity ex­perts warn. “Man­u­fac­tur­ers need to really start con­sid­er­ing what hap­pens when someone does com­prom­ise a por­tion of their vehicle in­stead of as­sum­ing no one will,” Valasek said.

For now, he and his fel­low “good-guy” hack­ers will keep mak­ing cars go hay­wire, warn­ing of the threats they ex­pose and hop­ing their finds help keep the road free of ma­li­cious hack­ers.

MOST READ
What We're Following See More »
“CLINTON MUST BECOME THE NEXT PRESIDENT”
Bernie Sanders Seeks to Unite the Party
2 hours ago
THE DETAILS

Instead of his usual stump speech, Bernie Sanders tonight threw his support behind Hillary Clinton, providing a clear contrast between Clinton and GOP nominee Donald Trump on the many issues he used to discuss in his campaign stump speeches. Sanders spoke glowingly about the presumptive Democratic nominee, lauding her work as first lady and as a strong advocate for women and the poor. “We need leadership in this country which will improve the lives of working families, the children, the elderly, the sick and the poor,” he said. “Hillary Clinton will make a great president, and I am proud to stand with her tonight."

“MUST NEVER BE PRESIDENT”
Elizabeth Warren Goes After Donald Trump
3 hours ago
THE DETAILS

In a stark contrast from Michelle Obama's uplifting speech, Massachusetts Senator Elizabeth Warren spoke about the rigged system plaguing Americans before launching into a full-throated rebuke of GOP nominee Donald Trump. Trump is "a man who has never sacrificed anything for anyone," she claimed, before saying he "must never be president of the United States." She called him divisive and selfish, and said the American people won't accept his "hate-filled America." In addition to Trump, Warren went after the Republican Party as a whole. "To Republicans in Congress who said no, this November the American people are coming for you," she said.

FLOTUS OFFERS STRONG ENDORSEMENT OF CLINTON
Michelle Obama: “I Trust” Hillary Clinton
4 hours ago
THE DETAILS

"In this election, and every election, it's about who will have the power to shape our children for the next four or eight years of their lives," Michelle Obama said. "There is only one person who I trust with that responsibility … and that is our friend Hillary Clinton." In a personal and emotional speech, Michelle Obama spoke about the effect that angry oppositional rhetoric had on her children and how she chose to raise them. "When they go low, we go high," Obama said she told her children about dealing with bullies. Obama stayed mostly positive, but still offered a firm rebuke of Donald Trump, despite never once uttering his name. "The issues a president faces cannot be boiled down to 140 characters," she said.

SANDERS BACKER CONFRONTS STUBBORN SANDERS SUPPORTERS
Sarah Silverman to Bernie or Bust: “You’re Being Ridiculous”
4 hours ago
THE DETAILS

Many Bernie Sanders delegates have spent much of the first day of the Democratic National Convention resisting unity, booing at mentions of Hillary Clinton and often chanting "Bernie! Bernie!" Well, one of the most outspoken Bernie Sanders supporters just told them to take a seat. "To the Bernie-or-bust people: You're being ridiculous," said comedian Sarah Silverman in a brief appearance at the Convention, minutes after saying that she would proudly support Hillary Clinton for president.

‘INEXCUSABLE REMARKS’
DNC Formally Apologizes to Bernie Sanders
9 hours ago
THE LATEST

The Democratic National Committee issued a formal apology to Bernie Sanders today, after leaked emails showed staffers trying to sabotage his presidential bid. "On behalf of everyone at the DNC, we want to offer a deep and sincere apology to Senator Sanders, his supporters, and the entire Democratic Party for the inexcusable remarks made over email," DNC officials said in the statement. "These comments do not reflect the values of the DNC or our steadfast commitment to neutrality during the nominating process. The DNC does not—and will not—tolerate disrespectful language exhibited toward our candidates."

Source:
×