Cars 2.0
Are connected vehicles vulnerable to cyberattack? Let’s explain.
Researchers at the
University of California and the University of Washington have created the
world’s first zombie car, using wireless cyberattacks to seize complete control
of a modern saloon. The attacks compromised every embedded electronic system in
the vehicle, from the lights and CD player to in-car communications, GPS,
locks, alarms and brakes.
The researchers were able
to unlock the car, disable alarms anti start the engine, track journeys by GPS,
and even record conversations inside the car. Now the automotive industry is
scrambling to reassure drivers that their cars are unlikely to be hijacked
while in the fast lane of the motorway.
Yoshi Kohno is part of a University
of Washington team that first attacked automotive security systems last year,
with malware called CarShark that required a physical connection to a car’s
diagnostic port. “A mechanic or valet might be able to do that, but it’s a bit
farfetched,” he says. “So we wondered if we could gain access to a car’s
internal computer network without ever having to physically touch it.”
It turns out that they
could and in several ways. One method required hacking a wireless diagnostic
tool used by garages but others could be carried out by anyone with a laptop or
even a mobile phone.
Hacking outside the box
Now that digital
technology pervades our everyday lives, laptops and websites are far from the
only potential targets for cybercriminals. Embedded systems are a security
scandal waiting to happen, and they can be found almost everywhere.
Power crazed
Researchers
at this summer’s Defcon security conference in Las Vegas unveiled a device that
could compromise security systems and baby monitors using powerline technology
(sending information over domestic electricity circuits). By plugging their
device into an outside socket, the researchers were able to monitor cameras and
disrupt alarm systems.
Lethal injection
Many
modern medical devices use short range wireless communications for control and
feedback. One researcher has demonstrated that he can force a personal insulin
pump to inject dangerous quantities of the drug or shut itself off altogether.
Another has shown that he could turn off pacemakers remotely.
Scan-dal
Keep
your trousers buttoned at this year’s Christmas party. Cloud security firm
Zscaler recently posted dozens of images that it had downloaded from web-enabled
scanners in businesses and private homes. Unsecured web servers built into
high-end models were the culprits.
Hacking by hi-fi
Loading malware on a CD
and playing it in the car’s media centre was one trick. Others involved attacks
via Bluetooth and dialling up the car’s built-in telematics system. Using this
technique, Kohno’s team was able to control a car remotely by playing an audio
file ‘song’ down a standard phone line. Once they had accessed even one corner
of the car’s network, the researchers were able t enslave the
entire vehicle, says Kohno: “It turns out that it’s very hard to segregate
components within a car. For example, think about a modern luxury car that
turns up the radio as you accelerate. That means there’s communication going on
to tell the radio the car is going faster or slower.” Electronic systems in
cars have always had weaknesses but, as with PCs, it took the arrival of
digital connectivity to amplify the dangers. Cars are getting enhanced calling
systems, web connectivity and app stores hut manufacturers haven’t paid much
attention to security issues,” says Kohno.
Stephen Checkoway of the University
of California agrees: “Modern cars have tens to hundreds of computers running
millions of lines of code rife with old vulnerabilities. One problem is the
business model of the auto makers. Manufacturers outsource components, then
take a bunch of widgets and stick them together. They don’t have the source
code so they can’t do security audits or check for vulnerabilities. Almost
without exception, every bug we found lay at the intersection of two
components.”
Playing catch-up
Raj Samani, Chief
Technology Officer for security firm McAfee in Europe, sees it from another
angle. “The pace of change with cars and embedded systems is dramatically
fast,” he says. “99 times out of 100, we’re trying to play catch up with new risks
that are coming. We’re going at a million miles an hour.”
That is not the best speed
at which to make major changes. Updating embedded systems software should be
feasible but you don’t want your car to do a software update while you’re
driving at 60mph,” says Kohno.
It’s better to include
security features from the ground up, says Samani: “The cost of recalling a car
is significant. It’s much more cost effective to build in security by design.”
Some manufacturers are leading the way. Vehicles using Ford’s
Microsoft-developed Sync system have a hardware firewall to regulate
information flow between the entertainment and control computers, and prevent
the car’s media player from downloading or running any new code.
Building cyber-secure cars
for tomorrow is clearly sensible, but it doesn’t help us today. “Many of
today’s automotive systems were not designed with security in mind, admits
Kohno, before explaining that even his team of experienced computer security
academics took several ears to uncover all the vulnerabilities of their test
car. I don’t think people need to immediately cringe and worry about these
threats in the near future,” he says. “What scares me most is industry,
government and third parties not proactively trying to secure future automobiles
that will be even more communicative.”
Malware can be loaded onto a car’s computers via the hi-fi system
Cat Hackforth: Speed of security
“As Stephen
Checkoway points out, the weakest points in an IT system are typically the
intersections between pieces of technology, and the more connected hardware
becomes, the more links there are and the more potential vulnerabilities.
That said, I
think we should be heartened by his team’s ability to enslave a car-by seeking out
a worst-case scenario, they hay enabled security developers to stay ahead of
would-be hackers.
Early computer
networks were particularly vulnerable to exploitation because it was
unexpected- Robert Tappan Morris, the creator of the first computer worm,
claimed even he didn’t realise what he had released on the world. Teams like
Checkoway’s are testing modern cars to the limit before disaster strikes and,
importantly, security companies are taking notice.
It’s also worth
remembering that features like keyless entry are designed to solve a much more
likely form of car crime- thieves hooking a piece of wire through a letterbox
and fishing for keys near the front door. Your average car thief looks for an
easy opportunity, and placing a data CD in the stereo isn’t it. If they have
access to the stereo, they’re already behind the wheel.
Improvements in
security technology have seen UK car thefts drop from 600,000 a year in 1990 to
107,000 in 2010, and I’m willing to bet that trend will continue for many
years.
