What Happens When Your Car Gets Hacked?

Connected cars could give cybercriminals a whole new range of targets.

National Journal
Alex Brown
Add to Briefcase
Alex Brown
July 23, 2014, 10:41 a.m.

One day soon, your new car will come loaded with apps that can play live base­ball games from across the coun­try or read news art­icles aloud. Buy a Toyota? Apple’s Car­Play will turn it in­to an iPhone on wheels. Opt for a Hy­undai, and you’ll get Google’s An­droid op­er­at­ing sys­tem built in­to the dash­board. And most ma­jor auto­makers are plan­ning to of­fer both.

That’s sure to stir up ex­cite­ment among tech-savvy con­sumers, but it also has hack­ers ima­gin­ing a whole new world of op­por­tun­ity.

“Can some 14-year-old in In­done­sia fig­ure out how to [hack] this and just shut your car down “¦ be­cause everything is now wired up?” asked Sen. Jay Rock­e­feller in a hear­ing last year.

That worry, while sound­ing rather dystop­ic, isn’t ne­ces­sar­ily un­real­ist­ic, said Chris Valasek, who handles se­cur­ity in­tel­li­gence for IO­Act­ive, a se­cur­ity firm. That’s be­cause Valasek, while not a teen­ager from South­east Asia, has taken car-hack­ing to a scary level.

Last year, Valasek and hack­ing part­ner Charlie Miller linked a laptop to the data port of a Ford Es­cape. Sit­ting in the back­seat while a re­port­er drove, they changed the fuel in­dic­at­or level, upped the speedo­met­er read­ing to 199 mph and ac­tiv­ated the horn. Then, mid-drive, they jerked the steer­ing wheel back and forth and de­ac­tiv­ated the vehicle’s brakes (an earli­er test sent Miller in­to the back wall of his gar­age).

If that sounds fright­en­ing, Valasek says, it’s time to ima­gine the pos­sib­il­ity that to­mor­row’s hack­ers won’t need a plug-in cable — and they could do more than give their vic­tims a little scare. “There’s a lot of wire­less com­mu­nic­a­tions in the car, and I as­sume con­nec­ted vehicles will add more wire­less com­mu­nic­a­tions,” he said. “The more ways to wire­lessly com­mu­nic­ate with something, the more at­tack sur­face there is. Ad­ded com­plex­ity many times gives an at­tack­er more ways to at­tempt to get in­to a vehicle.”

At­tack sur­face is an­oth­er way of de­scrib­ing the wire­less entry points to a vehicle. Cars can use cel­lu­lar net­works to place calls or re­ceive nav­ig­a­tion. They use Wi-Fi to con­nect devices in the vehicle to the In­ter­net. They link to phones with Bluetooth. Even their tires can send wire­less sig­nals to in­dic­ate low pres­sure.

Today’s cars have up­ward of 100 mi­cro­pro­cessors to sort this data and send sig­nals throughout the vehicle. The prob­lem comes when one of these sig­nals is breached. A com­puter, by con­trast, has safe­guards to pro­tect sys­tems like disk stor­age if an­oth­er area, such as a Web browser, is hacked. This is known as pre­vent­ing “lat­er­al move­ment.”

“Cars aren’t really there yet,” Valasek said. “Many auto­mo­biles don’t have a layered ap­proach to se­cur­ity right now. They just as­sume some­body can’t break in.”¦ You want to se­greg­ate por­tions.”

And while the in­tern­al work­ings of today’s cars lack pro­tec­tion, the soft­ware of to­mor­row’s vehicles will add an­oth­er chal­lenge. With An­droid and Car­Play on the ho­ri­zon — and most auto­makers on board — a whole gen­er­a­tion of cars will soon hit the road en masse with vir­tu­ally identic­al op­er­at­ing sys­tems.

“The new op­er­at­ing sys­tems will make the mar­ket less het­ero­gen­eous, which po­ten­tially is more dan­ger­ous,” said Vi­cente Diaz, a se­cur­ity re­search­er at Kasper­sky Lab. “At­tack­ers will be more fa­mil­i­ar with these sys­tems.”

Of course, hack­ers have already had years to prac­tice break­ing in­to those sys­tems on mo­bile devices. “People have been hack­ing those op­er­at­ing sys­tems for a long time,” Valasek said. “It may give them a more fa­mil­i­ar meth­od to get in.”

An­oth­er is­sue, Diaz warned, is that while phones tend to get re­placed every few years, the longer lifespan of a car could make it in­creas­ingly vul­ner­able as time goes on.

Without fur­ther test­ing, it’s hard to say just what a cy­ber­crim­in­al could do with a giv­en hack. No one knows how hard it would be to wire­lessly rep­lic­ate Valasek’s com­plete con­trol of a car — or how many vehicles will suf­fer that vul­ner­ab­il­ity.

But oth­er con­cerns could give car buy­ers pause. Hack­ers could steal a driver’s loc­a­tion data or use Bluetooth to ac­tiv­ate a phone’s mi­cro­phone and eaves­drop. Some re­mote un­lock ap­plic­a­tions could even let hack­ers gain entry to a vehicle.

These vi­ol­a­tions won’t ne­ces­sar­ily hap­pen be­cause a hack­er tar­gets a spe­cif­ic car. In most cases, hack­ers will gain ac­cess to a user’s on­line pro­file first, then wait for it to get linked to a vehicle. “[If] the app in your phone or your Web portal cre­den­tials get hacked, an at­tack­er will have ac­cess to the data of your car,” Diaz said. “They could see all the de­tails of your car, even its loc­a­tion, and in some cases be able to un­lock the doors. All this may start with a simple phish­ing mes­sage, so con­sumers should be aware of what this new eco­sys­tem rep­res­ents and the con­sequences.”

Auto­makers say they take such threats ser­i­ously and are work­ing to pre­vent them, though some point out that no one has suc­cess­fully pulled off a real-world wire­less hack. But that doesn’t mean it can’t or won’t hap­pen, se­cur­ity ex­perts warn. “Man­u­fac­tur­ers need to really start con­sid­er­ing what hap­pens when someone does com­prom­ise a por­tion of their vehicle in­stead of as­sum­ing no one will,” Valasek said.

For now, he and his fel­low “good-guy” hack­ers will keep mak­ing cars go hay­wire, warn­ing of the threats they ex­pose and hop­ing their finds help keep the road free of ma­li­cious hack­ers.

What We're Following See More »
CONGRESS BETTER GET ON BOARD
Mnuchin: Expect Tax Overhaul by August
8 hours ago
THE DETAILS
‘TOP OF THE PACK’
Trump Looking to Expand Nuclear Arsenal
8 hours ago
THE DETAILS
HAD ATTRACTED A CROWD TODAY
Alt-Right Leader Spencer Removed from CPAC
8 hours ago
WHY WE CARE
RECREATIONAL USERS
White House Promises Crackdown on Pot
9 hours ago
THE DETAILS
SAYS LEFT WILL GO INTO “MELTDOWN”
Cruz Predicts Another SCOTUS Vacancy “This Summer”
12 hours ago
THE LATEST
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login