Cheap Comparison Quotes Free and Customized

Is Your Car Safe From Cyber Attacks?

By Aaron Crowe

Jeep-Grand-CherokeeHackers remotely killed a Jeep Cherokee on a highway in St. Louis in July, using the vehicle’s 3G data connectivity to kill the engine, turn on the air conditioning, hijack the infotainment system, track it via GPS, disable the brakes and control the steering.

Fiat Chrysler Automobiles quickly came up with a fix for the Sprint-powered Uconnect vulnerability in its cars with the 8.4-inch touchscreen systems. It recalled about 1.4 million affected vehicles to perform the software update.

But the fixes to the automaker’s vehicles — which include Ram, Cherokee, Grand Cherokee, Durango, Viper, Challenger and Chrysler models — raised questions about how difficult car hacking is to fix and if other cars could be hacked.

In St. Louis, hackers Charlie Miller and Chris Valasek used a hacking technique called a zero-day exploit to gain wireless control through the Internet to any of thousands of vehicles. Like many carmakers, Fiat Chrysler is turning its fleet into a smartphone that enables phone calls, controls the vehicle’s navigation and entertainment, and can be used as a Wi-Fi hot spot.

The vulnerability that Miller and Valasek found was unveiled at the Black Hat security conference in Las Vegas. Their hack allowed anyone who knows the car’s IP address to gain access from anywhere in the country. They’ve also shared their research with Chrysler, which provided the patch.

Fatal accidents predicted

Don’t expect this to be the last time you hear of a car being hacked remotely.

“With the increasing convergence of cyber and physical worlds, attacks are no longer limited to office computers and networks,” says Steve Durbin, managing director of the Information Security Forum.

“This latest hack once again demonstrates the need to build security in to systems from the beginning, rather than ignoring and hoping for the best,” Durbin says. “In today’s connected world, if its connected, its hackable and if its hackable someone will find a way to hack it.”

ISF anticipates in the next few years some deaths through such digital systems, starting with accidents in smart and self-guided cars.

“Hype around ‘cyber deaths’ will grow and incidents that we are seeing today including low-level hacking, data breaches, and even espionage, will seem insignificant by comparison,” Durbin says.

Because the proprietary systems are closed, few experts can work with each device to find solutions, says Mark Parker, senior product manager at iSheriff, a cloud-based security system.

“Any computing device is subject to being exploited, whether it be in a vehicle, or the climate control system for a building,” Parker says.

“In cases where a closed device has been exploited, consumers are at the whim of the manufacturer,” he says. “If widespread attack against a single automobile type was in the wild, the implications on passenger safety and traffic will have a very real impact on commerce as roads, driveways and parking lots are blocked worldwide. Opening these systems up so that responsible security experts can provide solutions is an important step in the right direction.”

Other hacks

Sammy Kamkar recently unveiled his $32 “RollJam” radio device that’s smaller than a cellphone and defeats the codes used to secure keyless entry and alarm systems in most modern cars and trucks, along with garage door openers. The gadget picks up and records the wireless command from a key fob, and the thief can get into the garage and car a few minutes or days later without a trace.

The tipoff for a vehicle owner that a RollJam is nearby is if their key fob doesn’t work on the first try. The RollJam could be left near a vehicle or garage, retrieved later by the attacker.

“While the media is abuzz over the arrival of driverless cars, what many don’t know is just how ‘connected’ you car is already,” says Darren Guccione, CEO of Keeper Security, Inc.

In July, GM announced a software update to its OnStar service’s iPhone app, which allows users to perform many car functions remotely, because it had a major security vulnerability. The hack could have been used to track GM vehicles, unlock their doors, start ignitions and access the car owner’s email and address.

“Although OnStar quickly patched the hole, the incident underscores that the more car functions we automate and can access remotely, the more attractive they will be for hackers,” Guccione says.

“And when the age when age of driverless cars does arrive,” he says, “they will be able to drive themselves because their systems will be connected and communicating with the systems of other cars, satellites, and roadway sensors. Which means that hacking one car can put every other car on the road at risk.”

How to prevent hacking

There are high-tech and no-tech ways to prevent hackers from taking over your car. The no-tech way is to have an old car that doesn’t have Internet connectivity, and little to no internal connectivity.

For example, the radio isn’t connected to anything except power, ground, an antenna and the speakers. The ignition system isn’t connected to anything but the power and spark plugs. Steering is mechanical and braking is non-electric.

Most cars built before 1990 don’t have on-board diagnostics, called OBD plugs, so driving an old car may be the easiest solution, though not the most practical.

If you have a modern car with a computer in it, start by contact your automaker to see if it has updates on the car’s computer that will help secure the vehicle, says Nick Espinosa, chief information officer at BSSi2, a computer consultancy firm in Illinois.

“You can disable services like OnStar so the vehicle cannot get data signals,” Espinosa says, adding that some people physically remove the OnStar units from their cars, though it’s not recommended by the manufacturer.

“You can also attempt to disable the Bluetooth feature or configure it to not search for other devices once yours is paired, though not all vehicles will have this configuration option,” he says.

“When considering a new vehicle you can look for one that uses either CarPlay by Apple or Android Auto,” Espinosa says. “These two features actually use your mobile phone to run the entertainment system connectivity and mobile phones typically have good security built in and turned on.

“At the moment there is really no need to lose sleep over this issue but it is important to be aware,” he says. “As the car manufacturers address and correct this issue the potential threat will become less and less. The good guys are always playing catchup to the bad guys but in this case the bad guys are very rare for now.”

 

Aaron Crowe is a journalist who covers the auto industry for CheapCarInsurance.net.