Hacking a Car is Easier Than You Might Think
Many motorists have no idea that despite the best efforts of government, automobile manufacturers, and safety advocates, todays cars and trucks are now more dangerous than they used to be. Yes, they are designed to be safer but ironically, the cyber technology used to make them so is also the same technology that makes them more dangerous.
Imagine for a moment an extreme example in which a driver takes a trip to visit his family over the weekend. He turns on the radio but then remembers that a co-worker gave him a CD to listen to. Within seconds, the vehicle’s anti-lock brake system engages and a tractor-trailer rams into the car. Law enforcement officials respond to the crash and download data from the vehicle’s event data recorder to investigate what happened. The post-crash analysis shows the cause was sudden braking but not why. A more thorough investigation by a cyber-forensics investigator determines that the car’s controls were hijacked. How? Someone tweaked the CD with malicious code that penetrated the vehicle’s unsecure network and caused the intense braking to take place.
You may think that cyber threats like these are science fiction, but you would be wrong. They are real and researchers have proven hackers can use personal information available through telematics features, or vehicular technologies, to steal vehicles by unlocking the doors, causing crashes by turning off the engine or deactivating the starter, or changing the vehicle identification numbers to avoid tracking by law enforcement.
Each year vehicles continue to morph into even more complex electronics-intensive digital devices. Today’s vehicles contain 30 to 100 electronic control units, 100-plus actuators, more than 4 000 signals, and another 70 to 100 sensors. There are numerous wired and wireless external interfaces for accelerometers, cameras, radar, sonar, temperature and even rain sensors. Combined they produce more than 25 gigabytes of data per hour.
Automakers include wired interfaces in vehicles for USB, CD and DVD, Bluetooth, Wi-Fi, and radio frequency capabilities, plus a host of other features including a global system for mobile communications and keyless entry.
Vehicle architecture is shifting from “embedded” to “enabled.” However, some see the trend from an isolated closed-loop structure to more open systems as a problem rather than a solution. This increasing complexity can introduce security flaws that tamper with safety systems.
More worrisome, the sophisticated electronic tools to hack cars are inexpensive and sold online. It’s easy to find YouTube videos detailing how to reengineer in-vehicle networks and reset air bags or even erase crash data.
Moreover, it does not take much technical skill. Hacking and tampering will become widespread as vehicles become “connected,” communicating not only with each other, but also with service providers. Vehicles now transcend electronic, mechanical, and software boundaries to include assorted services for the driver, passengers, and the vehicle itself. A few examples are online vehicle diagnostics, warranty management, networked infotainment, and integration of applications such as driver performance measurements and personalized insurance services. And these are just the tip of the iceberg.
SECURING THE SYSTEM
But work is going on to prevent such hacking. Automotive cybersecurity represents the body of methodologies, processes, best practices, and standards designed to protect automobiles from malicious attacks, damage, unauthorized access, or manipulation. This involves protecting vehicle computer systems, data, networks, software, and users, which includes the owners, operators, and mechanics.
Automotive technology has always evolved, but what’s happening now is new territory and it’s more of a revolution than evolution. For the first time, engineers are involved in collaborations among private industry, academia, and government regarding modern in-vehicle cybersecurity threats, vulnerabilities, and risk mitigation and countermeasures.
There are many vehicle cybersecurity initiatives in the United States and Europe with ongoing and planned vehicle cybersecurity projects, including the Transportation Research Board, which conducts workshops on Road Vehicle Automation.
Despite these initiatives, there are no rules or guidelines for automobile cyber safety. U.S. regulators are hampered by funding and a lack of congressional mandates, which means they will not or cannot do much of anything about the risks until the problem becomes a so-called “safety problem.”
A U.S Government Accountability Office (GAO) report to the chairman of the Committee on Commerce, Science, and Transportation, and U.S. Senate titled Highway Safety: Foresight Issues Challenge Department of Transportation’s (DOT) Efforts to Assess and Respond to New-Technology-Based Trends recommends that the DOT develop an approach to guide decision-making on new, fast-moving trends that can affect highway safety. It also recommends evaluating whether new data systems and analytic techniques are needed to provide information on such trends, as well as to employ specific strategies in communicating with congress about these and other trends. The DOT thus far disagreed with the first of these and did not comment on the other two. The GAO continues to recommend all three.
To hear more on this topic from the National Academy of Engineering of the National Academies, listen in on their podcast Car Hack