auto magazines
Car Hacking: How Automakers Are Racing to Strike the Threat
Car Hacking: How Automakers Are Racing to Hit the Threat
As anyone who has shopped for a car lately can attest, modern vehicles are increasingly becoming rolling computers. Remote begin, voice instructions, adaptive cruise control, collision avoidance systems and automated parking are just a few of the hundreds of computer-based features suggested in today’s cars. As many as one hundred individual computers can now be found in some models. Because these systems are interconnected via a controller area network (called a CAN Bus) and suggest Bluetooth or internet connectivity in some form, that makes them a potential target for hackers.
In just the last two years, a string of prominent, non-malicious attacks conducted by white-hat security researchers have exposed vulnerabilities in vehicles produced by General Motors, Chrysler and Tesla.
General Motors
Last February, a researcher at the Defense Advanced Research Projects Agency (DARPA) showcased sixty Minutes how he was able to build up control of GM’s OnStar emergency communications system and use it to spread malicious code in other computers in the vehicle. Using this access, he was able to remotely steer, apply the vehicle’s brakes and even cut them off fully.
Later that year, a separate team of researchers from the University of California San Diego hacked a two thousand thirteen Chevy Corvette by exploiting a weakness in a telematics dongle produced by a company called Metromile. That product’s cellular connectivity—which isn’t designed to control the vehicle in any way—was used to distribute code to the CAN Bus, which in turn gave the researchers access to critical systems simply by sending text messages.
It took GM almost five years to fix a hack in the Chevy Impala.
Chrysler
Last summer, a pair of hackers demonstrated a remote hack of a Jeep Cherokee to a reporter as he drove the vehicle on a highway. They were able to control everything from the SUV’s climate control system to its transmission and brakes, at one point forcing it to slow to a crawl as traffic piled up behind. The hackers had previously demonstrated similar capabilities with a Ford Escape and a Toyota Prius.
Want more content like this? Subscribe to our newsletter and we’ll send it right to your inbox.
Chrysler’s Uconnect system, which produces connectivity, infotainment, navigation and voice directions to all of its vehicle lines, permitted remote access to anyone with a smartphone and skill of the vehicle’s IP address. Gaining access to a wireless connectivity module was just the very first in a series of separate hacks needed to build up control of a car’s brakes. But it’s also just one of dozens of methods hackers can use to make that crucial initial breach.
Chrysler patched its software to prevent similar attacks before the research was released to the public, recalling 1.Four million vehicles.
Tesla
Last month, Tesla made unwelcome headlines by falling victim to a severe hack performed by Tencent, a Chinese security rock-hard. Because the Tesla Model S is a fully-electric vehicle managed entirely by computers, the team was able to commandeer pretty much any functionality it wished to. What’s more, the hack required no physical access or special skill about the vehicle. All the researchers needed to do was spoof a wireless hotspot and trick the car into thinking it was connecting to the internet at a Tesla dealership, causing it to automatically connect to the network and download malicious code.
The Model S has computers integrated into almost every feature.
Long-Term Solutions?
Tesla responded by instantly pushing updated firmware out to all of its vehicles to fix the specific flaws. Unlike previous targets however, the carmaker also had a broader plan of act that went beyond the typical software patch, rushing to implement a “code-signing” technology it had been working on for years.
As demonstrated by Apple’s latest battles with the FBI, hacking a smartphone has become very difficult in latest years. Usually, a hacker will need to use social engineering to build up a victim’s trust—or at least improvised access to their unlocked phone. That’s because any updates to the phone’s software include a sophisticated cryptographic key that only the manufacturer itself can generate. When code attempts to install itself without a matching encryption key, it triggers the phone to recognize it as an attack.
Before Tesla’s most latest firmware update, no car suggested that protection across its entire network of onboard computers. According to Tesla CTO JB Straubel, this prevents puny security vulnerabilities from spreading beyond the initial point of attack.
Code signing is just one of a number of technologies being developed to make connected cars more secure. Another treatment is based on monitoring guidelines sent through the CAN Bus for irregularities that would be unlikely to occur during natural operation of the vehicle.
More and more vehicles are also capable of receiving software updates from the manufacturer remotely, rather than relying on owners to bring their cars in as part of a recall. In non-updated older vehicles, hackers have years to string together chains of vulnerabilities in different systems. In a vehicle receiving regular remote updates, those flaws can be recognized and immovable before becoming part of a larger attack.
Carmakers Are Adapting Quickly
As digital control systems become more widespread and interconnected, carmarkers have become increasingly serious about developing comprehensive solutions to the threat of hacking. Thus far, there have been no reports of malicious remote hacks that compromised a driver safety by taking control of a vehicle.
The industry has a lot invested in gaining the public’s trust in sturdy high-tech features. On average, more than a quarter of a fresh vehicle’s cost is now attributed to computers and electronics, and that number is expected to increase significantly in just the next five years. Fully autonomous cars are also expected to break into the market soon, but in order to clear regulatory hurdles, manufacturers will have to demonstrate unprecedented levels of digital security.
While no networked computer can ever be truly hack-proof, the specific flaws exposed by researchers in the last few years are unlikely to be remain threats for long. Remote access via wireless networks and smartphone apps can be made more secure. Increasingly, hacking will depend on social engineering and gaining physical access to a vehicle, meaning that the impetus in securing vehicles will be on the owners and operators themselves.
Next week, we’ll look at how individuals and fleets can make their vehicles more secure now—and position themselves to defend against the threats of the future.
*featured pic by Marc Rogers/Cloudflare
Like this article?
Subscribe to be notified as soon as we post similar content, including other occasional electrical vehicle tips, trends, and best practices.