One day soon, your new car will come loaded with apps that can play live baseball games from across the country or read news articles aloud. Buy a Toyota? Apple’s CarPlay will turn it into an iPhone on wheels. Opt for a Hyundai, and you’ll get Google’s Android operating system built into the dashboard. And most major automakers are planning to offer both.
That’s sure to stir up excitement among tech-savvy consumers, but it also has hackers imagining a whole new world of opportunity.
“Can some 14-year-old in Indonesia figure out how to [hack] this and just shut your car down “¦ because everything is now wired up?” asked Sen. Jay Rockefeller in a hearing last year.
That worry, while sounding rather dystopic, isn’t necessarily unrealistic, said Chris Valasek, who handles security intelligence for IOActive, a security firm. That’s because Valasek, while not a teenager from Southeast Asia, has taken car-hacking to a scary level.
Last year, Valasek and hacking partner Charlie Miller linked a laptop to the data port of a Ford Escape. Sitting in the backseat while a reporter drove, they changed the fuel indicator level, upped the speedometer reading to 199 mph and activated the horn. Then, mid-drive, they jerked the steering wheel back and forth and deactivated the vehicle’s brakes (an earlier test sent Miller into the back wall of his garage).
If that sounds frightening, Valasek says, it’s time to imagine the possibility that tomorrow’s hackers won’t need a plug-in cable — and they could do more than give their victims a little scare. “There’s a lot of wireless communications in the car, and I assume connected vehicles will add more wireless communications,” he said. “The more ways to wirelessly communicate with something, the more attack surface there is. Added complexity many times gives an attacker more ways to attempt to get into a vehicle.”
Attack surface is another way of describing the wireless entry points to a vehicle. Cars can use cellular networks to place calls or receive navigation. They use Wi-Fi to connect devices in the vehicle to the Internet. They link to phones with Bluetooth. Even their tires can send wireless signals to indicate low pressure.
Today’s cars have upward of 100 microprocessors to sort this data and send signals throughout the vehicle. The problem comes when one of these signals is breached. A computer, by contrast, has safeguards to protect systems like disk storage if another area, such as a Web browser, is hacked. This is known as preventing “lateral movement.”
“Cars aren’t really there yet,” Valasek said. “Many automobiles don’t have a layered approach to security right now. They just assume somebody can’t break in.”¦ You want to segregate portions.”
And while the internal workings of today’s cars lack protection, the software of tomorrow’s vehicles will add another challenge. With Android and CarPlay on the horizon — and most automakers on board — a whole generation of cars will soon hit the road en masse with virtually identical operating systems.
“The new operating systems will make the market less heterogeneous, which potentially is more dangerous,” said Vicente Diaz, a security researcher at Kaspersky Lab. “Attackers will be more familiar with these systems.”
Of course, hackers have already had years to practice breaking into those systems on mobile devices. “People have been hacking those operating systems for a long time,” Valasek said. “It may give them a more familiar method to get in.”
Another issue, Diaz warned, is that while phones tend to get replaced every few years, the longer lifespan of a car could make it increasingly vulnerable as time goes on.
Without further testing, it’s hard to say just what a cybercriminal could do with a given hack. No one knows how hard it would be to wirelessly replicate Valasek’s complete control of a car — or how many vehicles will suffer that vulnerability.
But other concerns could give car buyers pause. Hackers could steal a driver’s location data or use Bluetooth to activate a phone’s microphone and eavesdrop. Some remote unlock applications could even let hackers gain entry to a vehicle.
These violations won’t necessarily happen because a hacker targets a specific car. In most cases, hackers will gain access to a user’s online profile first, then wait for it to get linked to a vehicle. “[If] the app in your phone or your Web portal credentials get hacked, an attacker will have access to the data of your car,” Diaz said. “They could see all the details of your car, even its location, and in some cases be able to unlock the doors. All this may start with a simple phishing message, so consumers should be aware of what this new ecosystem represents and the consequences.”
Automakers say they take such threats seriously and are working to prevent them, though some point out that no one has successfully pulled off a real-world wireless hack. But that doesn’t mean it can’t or won’t happen, security experts warn. “Manufacturers need to really start considering what happens when someone does compromise a portion of their vehicle instead of assuming no one will,” Valasek said.
For now, he and his fellow “good-guy” hackers will keep making cars go haywire, warning of the threats they expose and hoping their finds help keep the road free of malicious hackers.
What We're Following See More »
Foreign Policy takes a look at the future of mining the estimated "100,000 near-Earth objects—including asteroids and comets—in the neighborhood of our planet. Some of these NEOs, as they’re called, are small. Others are substantial and potentially packed full of water and various important minerals, such as nickel, cobalt, and iron. One day, advocates believe, those objects will be tapped by variations on the equipment used in the coal mines of Kentucky or in the diamond mines of Africa. And for immense gain: According to industry experts, the contents of a single asteroid could be worth trillions of dollars." But the technology to get us there is only the first step. Experts say "a multinational body might emerge" to manage rights to NEOs, as well as a body of law, including an international court.
Not to be outdone by Jeffrey Goldberg's recent piece in The Atlantic about President Obama's foreign policy, the New York Times Magazine checks in with a longread on the president's economic legacy. In it, Obama is cognizant that the economic reality--73 straight months of growth--isn't matched by public perceptions. Some of that, he says, is due to a constant drumbeat from the right that "that denies any progress." But he also accepts some blame himself. “I mean, the truth of the matter is that if we had been able to more effectively communicate all the steps we had taken to the swing voter,” he said, “then we might have maintained a majority in the House or the Senate.”
Ronald Reagan's children and political allies took to the media and Twitter this week to chide funnyman Will Ferrell for his plans to play a dementia-addled Reagan in his second term in a new comedy entitled Reagan. In an open letter, Reagan's daughter Patti Davis tells Ferrell, who's also a producer on the movie, “Perhaps for your comedy you would like to visit some dementia facilities. I have—I didn’t find anything comedic there, and my hope would be that if you’re a decent human being, you wouldn’t either.” Michael Reagan, the president's son, tweeted, "What an Outrag....Alzheimers is not joke...It kills..You should be ashamed all of you." And former Rep. Joe Walsh called it an example of "Hollywood taking a shot at conservatives again."
In a sign that she’s ready to put a longer-than-expected primary battle behind her, former Secretary of State Hillary Clinton (D) is no longer going on the air in upcoming primary states. “Team Clinton hasn’t spent a single cent in … California, Indiana, Kentucky, Oregon and West Virginia, while” Sen. Bernie Sanders’ (I-VT) “campaign has spent a little more than $1 million in those same states.” Meanwhile, Sen. Jeff Merkley (D-OR), Sanders’ "lone backer in the Senate, said the candidate should end his presidential campaign if he’s losing to Hillary Clinton after the primary season concludes in June, breaking sharply with the candidate who is vowing to take his insurgent bid to the party convention in Philadelphia.”
The team behind the bestselling "Clinton Cash"—author Peter Schweizer and Breitbart's Stephen Bannon—is turning the book into a movie that will have its U.S. premiere just before the Democratic National Convention this summer. The film will get its global debut "next month in Cannes, France, during the Cannes Film Festival. (The movie is not a part of the festival, but will be shown at a screening arranged for distributors)." Bloomberg has a trailer up, pointing out that it's "less Ken Burns than Jerry Bruckheimer, featuring blood-drenched money, radical madrassas, and ominous footage of the Clintons."