Hacking the connected car

Insight into a new threat to auto owners and drivers

Today’s cars are computers on wheels. Like their stationary cousins, connected cars run millions of lines of code every day, and that technology delivers a better driving experience.

There’s a flip side to progress: like computers, today’s connected cars can be hacked. What’s to stop criminals from electronically taking over millions of cars?

Today’s answer: they have little motive. Experience to date seems to bear this out. Praveen Narayanan, research manager for automotive and transportation for consulting group Frost & Sullivan, states unequivocally: “No actual hacks have happened in the real world.”

Easy to hack?

Andy Rowland pours cold water on Narayanan’s news. “The skill level required to hack a car isn’t as high as you might imagine,” says the head of customer innovation, global mining, oil & gas, automotive & AMEA for BT Technology, Service and Operations.

Rowland cites 2014 reports of a 14-year-old who hacked into a vehicle using $14 worth of parts from an electronics store. His was one of many successful “white hat” (i.e. ethical) hacks into myriad computers embedded in today’s vehicles. But even he doesn’t mention actual incidents of the black-hat variety. So the world’s drivers seem safe from criminal hackers – for now.

Concerns over car-focused cybercrime seem a logical consequence of the proliferation of in-vehicle technologies. To compound the problem, many of the electronic control systems (ECUs) that help deliver these improvements must share data with other components to do their jobs. For instance, adaptive cruise control, lane departure warnings and collision avoidance systems receive information from onboard radar and/or cameras. The benefits of sharing data are obvious, but there’s a risk: hack into one ECU, the thinking goes, and the car’s security safeguards topple like dominoes.

Cybercrime targets

Narayanan distinguishes between two types of targets for cybercrime. One is the back-end systems that aggregate customer information gathered from vehicles and other sources. These data sets may rival those of Home Depot and Target, themselves high-profile victims of criminal hackers, in size and value, especially if they contain credit card data.

“Through telematics and wireless connectivity, cars are collecting and processing enormous amounts of data,” warns Vincent Gogolek, executive director of B.C.’s Freedom of Information and Privacy Association (FIPA), in a press release. “More and more of this data is personal information, and some of it reveals intensely private details of a person’s life.”

Narayanan’s second set of targets are the cars themselves. But does the criminal’s cost-benefit calculation add up? Who stores credit card numbers in a car? Unless the vehicle itself is a luxury model sure to fetch a handsome price from unscrupulous buyers, compromising a car’s onboard systems doesn’t seem to promise much financial gain for the effort.

Rowland offered other motives. He suggests criminals might use computing devices to extort money by, for instance, locking drivers in or out of their cars.

A higher-reward scenario: Criminals “could hold a manufacturer to ransom. Crash 100 computers and it’s very annoying. Crash 100 new cars in central London and it’s a brand disaster.”

Could automotive cybercrime pay off?

Scenarios involving large-scale loss of life, injury and property damage get people’s attention. Yet several factors must align for such attacks to work.

Cars in motion would have to be connected to the Internet and, via that connection, criminals must be able to access systems like brakes, throttle, engine, adaptive cruise control and so forth. Otherwise, they could not control such an attack.

Having attacks go wider than a given brand might not be feasible, given the fact that different OEMs use different computing platforms, so what works on one make of vehicle likely won’t work on another. (It’s the reason, for instance, that malware that functions on Windows-based computers doesn’t work on Macs.) “It’s a lot of effort” for little payback, Narayanan says.

However, automakers may leave their proprietary “infotainment” systems behind in favour of Android Auto or Apple CarPlay hookups. “Entertainment systems look old after a couple of years,” Rowland says. “It’s not their core competency,” Narayanan adds.

Automakers may homogenize other systems too. If they do, criminals may get a larger, more Windows-like target to shoot for. The idea isn’t far-fetched; certain futurists predict that autonomous vehicles will talk to each other and to surrounding infrastructure.

Cybercrime prevention efforts

Carmakers are largely mum on the subject of automotive information security. However, they are all likely working, overtly or not, to safeguard their products.

Several have already hosted white-hat hacking events to find vulnerabilities. (The 14-year-old mentioned above made his mark at such an event.)

How are they using the knowledge they glean? Using data from these events and other sources, automakers are likely hardening the operating systems and other software in their vehicles. They can also keep unauthorized apps from installing themselves on vehicles. Autos may require digital certificates for any apps people want to install in cars. Automakers may require third-party app developers to register with them before they can produce apps for vehicles.

The libertarians among tech-savvy drivers might balk at this “walled garden” approach. If they do, expect automakers to point out the differences between an app crashing a phone and an app crashing a vehicle.

Automakers will “bake” privacy into their data-gathering processes to both appease privacy advocates and prevent security breaches.

Automakers may soon gather threat intelligence, using big data in a secure cloud platform to monitor activity in real time. Similar systems might alert automakers to suspicious activity within specific vehicles, much like certain building alarm systems already do.

There’s also an information sharing and analysis centre (ISAC) in the works. Automakers may use this voluntary mechanism to share intelligence on security threats and vulnerabilities affecting computer-controlled systems in vehicles.

The Society of Automotive Engineers has reportedly established a security committee and is drafting “standards and best practices to help ensure electronic control system safety.” Certain standards may evolve into cybersecurity ratings that mirror crash-test ratings auto buyers currently use to compare the relative safety of different vehicles.

What drivers can do

Drivers also play a part in their own information security. Automakers may educate drivers on best practices like:

  • ensuring apps and other files on their phones or storage devices (e.g. USB memory sticks, SD cards) do not contain malware that could compromise the connected vehicle.
  • wiping personal data from a vehicle’s infotainment systems before selling it or, if in a rental car, before returning it.

Drivers who can do without the benefits of connected cars may choose to avoid the risks as well. Automakers continue to cater to such drivers by turning out relatively low-tech new models. Edmunds.com recently identified eight 2015 models it considers “unconnected” (i.e. no cellular connectivity, keyless ignition or other hackable networked systems).

This article initially published by Canadian Automotive Review Magazine.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.