Driving under the influence of alcohol or texting while driving is still a bigger risk to your safety on the road, but the hacking experiments conducted on technology-heavy cars might be an indicator of break-downs to come.
Two security engineers proved that a car is not just a transportation device to get from point A to point B, but a vulnerable combination of individual software systems that can be hacked.
Back in 2013, Charlie Miller and Chris Valasek hacked a 2010 Ford Escape and a Toyota Prius. The two researchers demonstrated the ability to send commands from their laptop that did things like jerk the steering wheel, give false readings on the speedometer and odometer, sound the horn continuously, and slam on the brakes while going down the road.
They have done it again, this time with a 2014 Jeep Grand Cherokee.
When the hackers first did their experiment, they hardwired their MacBook directly into the vehicle. This year, they’ve gone wireless, breaking into a few of the 50 vulnerable attack points available to them.
Wired reporter Andy Greenberg acted as Miller and Valasek’s crash test dummy, as he did in the original demonstration. As he was driving the Jeep Cherokee at 70 mph down the interstate, the two hackers sat miles away in Miller’s basement and bombarded Greenberg with multiple attention diverting events at once. The air conditioner blasted cold air, the radio station changed and played at full volume, the windshield wipers came on and blinded his view with wiper fluid.
But it wasn’t only distracting annoyances that the hackers threw at Greenberg. The scary part started when they remotely cut the transmission. Remember, at the time he was driving down the interstate at 70 mph. The Jeep quickly lost speed and slowed to a snail-like crawl. On a busy interstate with zooming cars and an 18-wheeler closing in, you can imagine the fright that Greenberg felt.
Cybersecurity in the auto industry
At the Center for Automotive Research conference this year, it was acknowledged that almost every automaker in the U.S. has a connected “telematics” service, like GM’s OnStar, Ford SYNC, Chrysler’s Uconnect, and BMW Assist. The panelists said that these services are the first point of attack for hackers, and can be used as a springboard to gain access to the owner’s personal data. Because connected vehicles include easy access to smartphone and onboard apps, the driver’s credit cards, bank accounts, or other financial information could be accessed through the cloud. It’s also possible to access location data, vehicle locator, travel direction, and cell phone number.
The security risks presented by Miller and Valasek in 2013 got the attention of U.S. Senators Edward Markey and Richard Blumenthal. This past Tuesday they introduced legislation that would establish federal standards to secure our cars and protect drivers privacy.
Do drivers need to worry about their vehicle getting hacked?
Drivers don’t need to get worried yet. Besides thieves opening car doors with wireless hacks as we described in Mr. Robot Review: da3m0ns.mp4, only one malicious car hacking attack has been documented. In February 2010, a disgruntled employee hacked a fleet with more than 100 cars in Austin, Texas. He infiltrated their web-based vehicle-immobilization systems and essentially “bricked” their vehicles and caused the horns to blast uncontrollably.
How to protect your car from being hacked
- Think of your vehicle not as a simple car anymore, but a sophisticated device like your mobile phone. Familiarize yourself with the new electronic control units. These days that includes the lighting system, the engine and transmission, steering and braking, vehicle access system, and airbags.
- Apply updates and patches when your car manufacturer issues them. For example, Chrysler just notified owners of vehicles with the Uconnect feature that a software update is available.
- If you use services like OnStar, GM’s auto security & information service, don’t leave your documents or password in the car for a thief to find.
- If you use your car as a Wi-Fi hotspot, use a strong password to protect it.