Sophos Cloud Optix
A US senator has asked leading car manufacturers to explain how they secure their vehicles against cyber attacks. Democrat Edward Markey’s request comes after recent disclosures from security experts who have reported on how they have hacked into cars.
Markey asked 20 leading car makers to respond to a set of questions about vehicle security, including how they test modern electrical systems and onboard wireless networks.
Recent news reports suggest that Markey’s concerns may well be justified.
Last year Naked Security reported how a $30 hacking kit could be used to steal BMW cars and, in August, researchers Charlie Miller and Chris Valasek showed Forbes reporter Andy Greenberg how a ride in a Toyota Prius could turn into the journey from hell.
Their research showed how hackers could take control of a car’s electronic smart steering, brakes, acceleration, engines and lights.
Its not just the bad guys who can manipulate the electronics in modern cars though. Yesterday, the BBC featured an article about RF Safe-Stop, a device capable of stopping a vehicle by blasting electromagnetic waves at it, which it says is something of interest to the police and military.
Markey, who also has an interest in the area of privacy, wrote a letter to Ford, General Motors, BMW and others on Monday in which he said:
As vehicles become more integrated with wireless technology, there are more avenues through which a hacker could introduce malicious code and more avenues through which a driver's basic right to privacy could be compromised.
These threats demonstrate the need for robust vehicle security policies to ensure the safety and privacy of our nation's drivers.
The Auto Alliance, an industry group which represents the leading car manufacturers, responded yesterday with a statement in which it said:
Auto engineers are incorporating security solutions into vehicles from the first stages of design and production, and their security testing never stops.
As cars and other forms of transportation increasingly incorporate in-vehicle computer systems to help with everything from safety to navigation, cyber-security is among the industry’s top priorities and the auto industry is working continuously to enhance vehicle security features.
The National Highway Traffic Safety Administration (NHTSA) also responded to recent concerns over car hacking. From a statement released on Tuesday:
While increased use of electronic controls and connectivity is enhancing transportation safety and efficiency, it brings a new challenge of safeguarding against potential vulnerabilities. NHTSA recognises these new challenges but is not aware of any consumer incidents where any vehicle control system has been hacked.
The senator, however, believes that the automobile industry has played down the risks highlighted by recent security research, saying that:
Airbags and seat belts protect the safety of drivers, but we also need car companies to ensure the security and privacy of those in automobiles in this new wireless age.
Markey, who serves a member of the Senate Commerce, Science and Transportation Committee, believes that the risks of vehicles being hacked is significant and that tracking and navigating systems in modern vehicles could be used in collecting driver data without the consumers’ knowledge or consent.
He would like Congress to examine car security policies.
On the other side of the fence Stuart McClure, Cylance Inc’s chief executive, downplayed the threats posed to cars by hackers, telling Reuters that such attacks were far harder to implement on vehicles than on traditional computing devices.
Image of padlocked car courtesy of Shutterstock.
Yes, let’s build cars that have functionality based on and controlled by MS Windows. That makes me want to run out and buy one. Cars are for driving, you should not be distracted by sending text messages, answering emails etc, even if this is done by voice controls.
What about changing radio channels, changing CDs, looking at SatNav, talking to passengers, controlling children, or using the cigar lighter?
About non-voice-controlled phones, and (heaven forbid) text messages, I agree.
“On the other side of the fence Stuart McClure, Cylance Inc’s chief executive, downplayed the threats posed to cars by hackers, telling Reuters that such attacks were far harder to implement on vehicles than on traditional computing devices.”
I’d like to hear McClure talk on this in more detail. Considering the ease with which attacks are implemented on traditional computing devices, his statement doesn’t really set the bar very high.
After all, some recent research has claimed that the residential computer infection rate is currently around 10 percent, and the Android smartphone infection rate is currently at 0.6 percent and climbing.
To put this into perspective, it is estimated that 6 out of every 1,000 smartphones is infected, and 1 out of every 10 home PCs is infected with some sort of software deployed/controlled without the user’s consent.
I’d consider even 1 out of every 10,000 vehicles running software deployed/controlled by a third party without permission to be extremely problematic. And this is completely separate from the data leakage possible in any system not actively designed to thwart it.
For $30.00 someone can buy a hacking kit & steal a BMW.That really doesn’t sound all that hard to me.
You’re probably referring to this:
http://nakedsecurity.sophos.com/2012/09/18/bmw-stolen-hacking-kit/
It’s not *quite* as easy as your comment makes it sound. IIRC you have to get into the car first to reprogram your dodgy keyfob. Then the fob may let you get into the car and start it. That’s not good, but it means we’re talking more of an Elevation of Privilege than a Remote Code Execution.
Based on the research presented by Charlie Miller and Chris Valasek, you would need a short window of physical access (it really is king) in order to do one of two things; 1)Set a repeating command and pull the fob. It’s like ARP Spoofing in the old days, whoever speaks the most and/or loudest is king on those two vehicles. Or, 2) It’s not a giant leap to hook up wireless to your dodgy fob and control the car from their.
Such are the problems that can be introduced by further ‘integration’ of cars, vans, lorries control systems – potentially putting human lives at serious and uncontrollable risk. Electronics has a role to play in engine management, chassis controls, etc. In my view, as an electronics and automotive engineer, each system area should remain entirely separate, only sharing the DC power supply from the battery/alternator. Only with that degree of independence can there be no possible interaction between systems (providing they are properly shielded), as the weakest link is always the preferred ‘way in’. So isolate any access control (the key fob and related electronics for example), any ICE services that may include mobile phone or WiFi technologies, etc. The only ‘downside’ is the subsequent need for different means of service access that should always be by physical connections, rather like a unique Ethernet network for each separate functional system. And the need for garages/service centres to have different instruments for each system to test and set up. Cars used to work perfectly well without such high levels of integration of ‘add on’ features.
There’s a video on YouTube of a gang of high-tech car thieves stealing a new Audi RS4 (with keyless locking) by hacking into the cars diagnostics socket and disabling the anti-theft system.
This is an area where EU legislation requires the information to be disclosed (to prevent a monopoly) but in doing so creates a very real security risk. Until this is resolved it seems stupid to buy ANY car with keyless locking.
Eurofighter Typhoons can only be flown by their computer systems. Those front ailerons cannot be controlled manually. I hope they’re robust against hacking, otherwise they would fall out of the sky!
Well that is just down right scary, having someone hack into your steering or brake system. I hope they find a means of blocking that potential
I stay alive because of a ACID (Automatic Cardiac Internal Defibrillator), it also paces my heart. This device could be destroyed by one of their “Safe Stop” devices. EMF pulses is not something they can use around people today because of the installed electronics that keep people alive.