Can Your Car’s Computer Be Hacked By Terrorists?
By Aaron Crowe
Cars have become rolling computers, with enough computing power to run the engine, brakes and play music and give you directions.
The critical electronics systems in cars make them vulnerable to hackers, leading to “different safety and cyber security risks,” according to testimony by David Strickland, the chief administrator for the National Highway Traffic Safety Administration (NHTSA) before a Senate committee in May. Last year the NHTSA opened a cyber terrorism department to keep track of vehicle software issues that could make them vulnerable to attack.
Hackers could take control of a car’s accelerator, brakes or deploy an airbag, for example, causing a car to crash. An investigative reporter died in a car accident in June, which former Cyber Security Czar Richard Clarke said a car cyber attack could have played a role in.
For now, there’s less chance of terrorists causing a lot of cars to crash at once because there’s not a lot of code written for malicious attacks on cars, says Damon Petraglia, an information security and forensic expert at Chartstone who has led cyber-crime and breach investigations.
But it can be done, Petraglia says, with such methods as shutting off a car’s power steering and other ways that a car is connected through the Internet.
“All they need is for a couple of people to be hurt or killed,” creating mass panic, he says.
It’s a big enough issue that U.S. Sen. Jay Rockefeller asked auto experts during a recent Senate Commerce Committee hearing, “Can some 14-year-old in Indonesia shut a bunch of cars down because everything is wired up?”
Some of the ways a hacker could get into a car’s computer, Petraglia says, include when a vehicle’s navigation system is updated, through a diagnostic port, and connecting a smartphone into a USB port in the car. QR codes, for example, can contain malware that can be transferred from a phone to a car, he says.
Sensors built into cars have been shown to have few security protections built in. The electronic control units used as tire pressure sensors have been used to track vehicles, and hacked to give the car bad data.
Hackers don’t have to breach a car’s software to cause an accident, but can get to them through wireless infrastructure that allows cars to be connected and warn each of speed changes, for example. The Department of Homeland Security has warned that Bluetooth-based traffic systems could be hacked.
As CheapCarInsurance.net has written before, personal information in a car can stay there after a car is sold or traded in, so it’s a good idea to have it erased from the car’s computer before you turn the car over. With all of the computing power in a car, drivers should think of safekeeping their car’s computer as much as they do at home, Petraglia says.
“We should be updating our cars’ computers as much as we do our home computers,” he says.
Pulling information from a server by accessing a website tells the server a little bit about yourself through your IP address, which lets the server know where you are.
Nissan Leaf owners ran into a possible security breach in 2011 when it was discovered that by using an Internet service in the car, their location was given to the service provider. When Leaf owners used the car’s telematics system to access websites, it gave out the car’s exact location and speed to the RSS-feed provider.
Automakers wirelessly update software, just as people do with their home computers and smartphone apps, and all are possible entryways for hackers, Petraglia says.
If hackers could get into OnStar’s RemoteLink system, they could do the same things that its customers do: Unlock car doors or turn the engine off.
Terrorists may not yet go after individual cars — preferring bigger targets with more potential victims — but that doesn’t mean that they won’t look for security breaches in cars as the newest way to panic the American public, Petraglia says.
“I don’t think it’s an area where we need to panic, but we do need to be concerned and the automobile manufacturers need to put controls in place,” he says.
There are several steps that vehicle manufacturers can take to combat hackers, says Alan Grau, president of Icon Labs, which provides security solutions for embedded devices.
One is secure boot with code validation to stop hackers from uploading malicious code into a vehicle, Grau says. Even if hackers can access the diagnostic port and upload malicious code, the secure boot would detect that the code isn’t valid and wouldn’t run the insecure code. It would only run computer codes that are certified from the manufacturer.
Another step is to add packet filtering for remote unlock and start commands that come from text messages and keychains. The vehicle would filter the message packets to ensure they’re from a trusted host, Grau says, and would prevent messages sent from hackers from being recognized.
One bit of good news for drivers is that car computers are less likely to be hacked because they’re not connected to networks. Though some cars, such as the Leaf, are connected to the Internet, and mobile phone apps make them more connected, “hacking a car’s computer is possible but very unlikely,” says Ankit Oberoi, director of Innobuzz, an IT security and ethical hacking training company.
That’s good news if you don’t use your car’s computer to get directions off the Internet or look for a restaurant while out driving. But sooner or later, you probably will.
Aaron Crowe is a journalist who covers the auto industry for CheapCarInsurance.net.