They Hacked My Ride – Is YOUR Car Next?
By Kevin Gordon
Please forgive the bad pun and the local news scare tactic headline. I couldn’t resist. As electronic control systems and wireless communications technologies proliferate in automobiles, so will the opportunities to exploit them. As a result, expect this topic to become topical and for ratings attracting headlines to make it to the front pages of your local newspaper. After the break, we step through some of the information about what has been done to date, what might be possible, and determine if there is actually anything to fear.
Before we start, it is important to clarify something. The term “hacker” is typically misused, and as a result, we will use the term cracker (short for security cracker) for the rest of this post. A hacker, by definition, is really only someone who likes to tinker and figure out how things work. A cracker, is a person who likes to see if they can circumvent or defeat security measures to gain access to something. Think safe cracker and you’ve got the correct idea. Now, whether such a person decides to use these powers for good or evil is a totally different question. This question we will not be exploring today. With that out of the way, let us review what has been cracked so far.
The most known example of full scale automotive cracking came when researchers from the University of Washington and the University of California took control of most of the major functions of a car using its OBDII port. This example took place in 2010. In order to gain access to they car they plugged a device into the car which could then be managed remotely.
A year later, the same research team managed to gain access to the car remotely using only wireless access and a CD played in the car. Following that example, a team from Rutgers and the University of South Carolina managed to gain access to a car through its tire pressure monitoring system (TPMS). They were able to read the communication because it was completely unencrypted. In this example they couldn’t take over control of the car, but they could disable it. Finally, in a case that took place in Texas, a person was able to remotely access a large number of cars because they were outfitted with “black boxes” that are used for questionable auto loans. Here, the person who accessed the cars was a former employee of the company who sold the devices and retained access after being fired. These devices allow the lender to prevent a car from starting if payments are late as an alternative to repo agents.
These examples have started to open the industries eyes to the fact that they are vulnerable. Given the publicity of the unintended acceleration case against Toyota, the US government has started to take notice and has started to ask questions. The most popular question appears to be, “What is possible?”
The answers to this question vary greatly. Hypothetically, or course, anything is possible. In the extreme (and very unlikely) case, cars that have features like lane departure control and automatic stop-start technologies, could be driven remotely given the appropriate set of controls and access. More realistic, is that crackers could take advantage of vulnerabilities to remotely unlock and start cars. Additionally, as hands free devices become more prevalent people could also listen into your conversations.
OK. So what does this mean to you and me? At the moment, not a lot. To date, there are no reported cases of malicious cracking of cars that did not have a user installed device in them. In plain English, unless you allowed someone to put something in your car that can disable it, you are reasonably safe. Today, you are far more likely to have your car stolen or vandalized through traditional methods.
But what about in the future, Mr. Auto Writer Guy? As these technologies end up everywhere, what then? You still do not have a lot to fear. Why is that you ask? (All those have caused me to start having conversations with myself) The reason is simple. There is not a lot of money to be made in it. Sure, stealing cars is profitable, but remote controlling a car into a tree is just malicious. The reason for the huge amount of cracking on the Internet was because you could make a large amount of money doing it. In the early days, SPAM made people money. It may be true that people write viruses just to cause trouble, but in the beginning they were much more of a victimless crime. People did it just to show their power and skill.
That is where we are today. To date, nothing has happened that should cause any fear. At some point in the future, a car, or group of cars, will be cracked. My guess would be that in the beginning it will not be malicious, but just to prove it can be done. So the large challenge that remains is for automakers is how to maintain a lead in the race to add tech to cars while keeping people safe. Or am I just being naive? Put on your tinfoil hat and sound off in the comments. If you would like to read more the links below have some of the best information I found on the net.