Cybersecurity in cars: Are we at risk?
Today’s connected cars provide innovative technologies to interact between drivers, their devices, and their cars. While these new technologies provide convenient opportunities for car companies and their customers, they also expose them to cybersecurity breaches.
In a 2013 study, two researchers demonstrated their ability to connect to two cars using a laptop and cable. In a controlled setting, they demonstrated their ability to access the car’s engine control units and cause cars to suddenly accelerate, turn, brake, beep the horn, control headlights, and modify speedometer and gas gauge readings. Following this research, a Defense Advanced Research Projects Agency (DARPA) study noted concerns related to a vehicle’s controller area network (CAN) bus, which allows microcontrollers and components in cars to communicate without using a host computer. Specifically, DARPA noted that the CAN bus was accessible via Bluetooth, malware on a synced Android smartphone, and a malicious CD file.
Scary right? There’s more. Hackers can access your car’s communications systems and cause a variety of damage through interfaces including:
- Physical interfaces through which dealers perform diagnostics on your car.
- Short and long-range wireless interfaces. An example would be air pressure gauges in tires communicating to the main hub through a short-range wireless interface. Key fobs are also vulnerable.
- The USB ports we use to charge and connect phones and micro-chip ports for music files.
- Vehicle-to-vehicle technologies that provide advanced anti-collision systems.
In addition to the above attack surfaces, cybersecurity experts are more concerned with telematics systems found in most cars. They’re great technologies, but they can allow hackers to connect to your car from miles away. Luckily, there have been no known incidents—yet. The only known vulnerability was discovered via a test where German researchers sent fake messages to a SIM card in a BMW’s telematics system and were able to lock and unlock car doors. This vulnerability was updated with a security patch.
In February 2015, Senator Ed Markey released a report: Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk. The report incorporated input from major OEMs, including Detroit’s Chrysler, Ford, and GM. In the report, one of the OEMs identified a third-party application on Android devices that could integrate with cars via Bluetooth. The OEM had the app removed from the Google Play Store. Another report disclosed that individuals have attempted to reprogram onboard computers to increase engine performance.
Over the last 18 months, OEMs have dedicated cybersecurity expert teams to investigate potential issues and mitigate them. OEMs have also formed a consortium to share cybersecurity information to protect the industry called Auto-ISAC (Information Sharing Advisory Center). There are a number of solutions to the above security issues and some of them are already in use in 2014 and 2015 models. They include:
- Separate CAN bus networks for (1) monitoring systems, such as tire pressure gauges, and (2) telematics systems (think OnStar) and user multimedia systems (like Bluetooth phone sync). This way, if malware is introduced through the Bluetooth connected phone, it doesn’t affect the safety of the car. As cars become more sophisticated, they might adopt Ethernet-based systems that use IP addresses to communicate—like our corporate networks do. When this technology is paired with Wi-Fi connectivity in many of the 2015 car models, we have a real problem; hackers can potentially access the cars on highways from the Internet.
- Securing car communications with encryption and digital signature technology. This will make it much more difficult for hackers to access the systems or communication lines.
- Only allowing tested and approved apps to connect to car systems. Some OEMs are already doing this.
- Increasing focus on secure coding. OEMs have always been protective of their proprietary software code that runs a vehicle’s various components. Given today’s environment, they’ll need to up their game on securing this code further.
- Conducting independent security tests on components and communication systems. As new technology is introduced, it will be vigorously tested for security before it’s released to the market.
- Running security tests on cars as part of routine testing when customers bring their vehicles in for service. (This hasn’t happened yet, but I suspect it will.)
This may be alarming, but the good news is that many of the issues raised have come from researchers, security experts, and OEMs—not from hacking incidents. It’s great to see the industry working to get ahead of hackers. Let’s hope it stays that way.