Wired recently published a report about hackers who took over a car, making the radio, climate control, brakes, engine, and steering unresponsive. Now, this isn’t necessarily new. My dad’s 1975 Mercury Monarch had these same issues all the time as well. The difference is that the hackers meant to do this, and weren’t even near the car when it happened.
How they did it was interesting in a terrifying kind of way. The steps were roughly as follows:
- discover Uconnect exploit
- discover that the exploit is possible over Sprint’s 3G network
- determine it’s possible to run arbitrary code in the vehicle
- write firmware that can control vehicle functions
- scan Sprint’s network for a Uconnect vehicle
- log vehicle identification number (VIN), GPS location, speed, etc., just for kicks
- flash hacked firmware to replace the code in vehicle’s radio head unit
- control the vehicle’s radio, a/c, brakes, engine, steering from basement (must be from basement according to official hacker policy)
- scare the crap out of people who understand the potential of this exploit
Uconnect is an option in some Fiat Chrysler vehicles that creates a WiFi hotspot with internet connection. It allowed Charlie Miller and Chris Valasek, known car hackers, to remotely control a 2014 Jeep Cherokee from the comfort of Charlie Miller’s basement 10 miles away, while Andy Greenberg, a Wired reporter, allowed himself to be taken for a ride. Right into a ditch. They are presenting their work at the Black Hat conference in August.
Fiat Chrysler Automotive (FCA) issued a recall and released a fix for this vulnerability. They also worked with Sprint to apply network security measures for this issue. This vulnerability was first recognized by FCA in January 2014.
Miller and Valesek’s previous exploit controlled a vehicle from the back seat while attached to the vehicle’s service connector. They didn’t scare automobile manufacturers enough back in 2013, presumably because that’s how we automotive engineers normally do stuff, so they took it one step further with this wireless exploit.
Other previous wireless exploits from researchers include texting to a Subaru to unlock and start it. That was with a 3rd party system installed in the car. A man-in-the-middle attack was able to lock and unlock BMWs.
In 2011, researchers probed every nook and cranny of a car looking for chinks in its armor. The car apparently wouldn’t have made it through the opening credits of a Game of Thrones episode because its armor was more like a sieve. The researchers found ways to exploit the car’s Bluetooth, cellular service, FM RDS, CD player, tire pressure monitor sensor (TPMS), and of course, the service connector.
Yes—CD player was on the list. They were able to run arbitrary code while playing music through the CD player. All of the vulnerabilities required skill and effort to exploit, but they did it.
In general, I don’t worry as much if physical access is necessary. If someone gets a hold of your car, computer, house, or whatever, your protection options become very limited. But remote access—that’s what scares me, especially as more cars become connected to the internet.
Why cars have to be connected to the internet is an issue that I’ll ignore for now.
The internet is like a big city with lots of features and attractions. But there’s also a seamy side to it that most would do well to avoid (so I’ve been told). And this is where we are bringing our cars.
If someone hacks your computer, they could download all kinds of personal information, including financial data. Hackers could drain your bank accounts, run up your credit cards, and leave you homeless begging for free Tweets at your local Starbucks. (My policy is to keep bank accounts empty and credit cards high so that hackers’ impact is minimal. Winner!)
Hacking into a car is much worse—hackers can control your freakin’ car! I’ve already complained about the lack of manual transmission in cars, so this is definitely as bad. Also, you could die.
So all we have to do is make our cars as secure as computers on the internet, right? (see above: sieve)
Well, it gets more interesting. In 2014, NHTSA (National Highway Traffic Safety Administration) announced plans for vehicle-to-vehicle communication technology. This technology allows cars to talk to each other, helping to avoid crashes.
(“Hey, Prius, I’m going to run this red light. Could you wait a few seconds before crossing the intersection? Much obliged, thanks!”)
As an engineer
who spoofs his MAC address on personal devices at work to get onto the company WiFi or takes advantage of a Cisco vulnerability in its VPN protocol concerned with passenger safety and security, I have some concerns about this. I don’t work directly in this field, but I’ve had technical discussions conversations with those that do.
There are companies out there that want to externally control your vehicle with this technology. For example they would like to take over the car’s longitudinal control (stop/go) in specific conditions. It’s for interesting applications, and I’m sure they’ve thought about the security aspects for them (right? right?), but doesn’t this give one pause about the concept of inter-vehicle communication?
If I wasn’t clear enough the first time, this is an external entity controlling your car on purpose.
There’s a need to balance priorities here, because the goal of these advancements is to reduce damages, injuries, and fatalities, not create a potential for more.
I won’t even bother discussing the issues of spoofing signals or the possibility of a type of denial-of-service (DoS) attack in this system.
Also, car companies such as Tesla and Ford use over-the-air (OTA) updates for their vehicles to download new software. I’m going to assume this is as safe as Microsoft’s or Apple’s software updates on personal computers.
Luckily, there’s a Senate bill to our rescue. Senators Markey (D-Mass) and Blumenthal (D-Conn) are sponsoring a bill called “Security and Privacy in Your Car Act of 2015” (SPY Car Act of 2015) that addresses cybersecurity standards in automobiles.
It’s a well-intentioned bill whose main points are that vehicles must have:
- protection from hacking (inherent protective measures)
- security of protected information (data privacy)
- detection, reporting, and responding to hacking (monitoring system)
Vehicles sold two years after this bill is passed will also have a Cyber Dashboard label, providing the consumer information about the cybersecurity and data privacy of the vehicle.
So the government solves another problem. Rest easy at night, citizen.
The Last Stand
For the handful of people out there who don’t trust our government as much as I do, I have another suggestion.
Dust off that 1977 Pontiac Trans Am languishing in your garage (mine is called a 944 Turbo). Use its old technology to your advantage.
Worried about that CD player vulnerability? Not with that 8-track player, you won’t. You couldn’t log into AOL with that magnetic media. (Kids, ask your grandparents about AOL. And CDs.)
Worried about someone texting your car to open the door? Hackers would need to hack a metal coat hanger to do that, and those disappeared sometime in the 1980s.
Worried about hackers tracking your GPS coordinates through your navigation system? Well, that security hole in the muffler will only let hackers track you to a resolution of 2-3 city blocks.
Worried about someone starting your car remotely and driving off with it? Hackers would have to get physical access to objects like a big rock and screwdriver to drive off with that Trans Am. Where’s someone going to find those?
Again, more proof that the good ol’ days were always better.
“The good old days are now.”
“How did we ignore our kids before smartphones?”