Hacking my car: not a reality yet, but it’s coming

November 6, 2014

What does it take to hack a car? Modern cars are filled with various kinds of electronics, which are -quite naturally – controlled by a central hub. In other words, an automotive on-board computer. And guess what? It can be hacked!

640-3

Last year, Charlie Miller and Chris Valasek showed the Forbes’ editor how to disable the Ford Escape’s brakes by using a laptop connected to the car’s dashboard. Miller and Valasek managed to reverse-engineer enough of the software of the Escape and the Toyota Prius, and found several ways a hacker could play a variety of dirty tricks: from annoyances like continuously blasting the horn, to serious hazards like slamming on the Prius’ brakes at high speeds. They sent commands from their laptops that killed power steering, spoofed the GPS, and made pathological liars out of speedometers and odometers. The only “setback” there was this required direct access to the onboard system for the hack to take place.

Earlier this year, Valasek and Miller presented their industry-wide study of remote hacking possibilities (which are, thankfully, not actual hacks – yet) for smart cars at Black Hat USA.

What they have found is both encouraging and a bit alarming. The good news: It won’t be that easy to hack a smart car – so no car-based botnets any time soon. And remote grand theft auto is also in the distant future. Hacking a car, according to Valasek, is hard, it’s expensive, and it’s time consuming.

The bad news is it is ultimately still possible, and, according to Valasek, a car attack “would be very targeted”. Which means that special-purpose vehicle producers and their potential clients – dignitaries, military personnel – should pay attention to this study. Most likely, they’d be among the first at risk.

The topic of car hacking actually gets re-ignited on a regular basis. Javier Vazquez-Vidal and Alberto Garcia Illera demonstrated vehicle control using a $20 device at Black Hat Asia 2014. There were discussions of how “old and dumb” the car computers were, “built safely enough back in the 1990s, when the car was a closed box”.

In August, Wired ran an article about a security researcher who found a way to “spoof the signal from a wireless key fob and unlock a car with no physical trace, using a code breaking attack that takes as little as a few minutes to perform”.

wide-2

Then, last month, the security firm Coalfire started publishing the findings of their research and penetration tests aimed at the car systems, going as far as to show how a built-in smartphone connectivity to the automotive system can be exploited – essentially it boils down to a compromised vCard in the phone and an SQL injection attack.

“Successful exploitation often grants unfettered access to the infotainment system, which is essentially just a QNX operating system. A foothold like this can then be used to exploit a variety of other subsystems including the CAN bus, further exposing the vehicle and those inside to risk. The research is out there, we need only to tie it together”, – researchers said.

They have also stated that by exploiting “vulnerabilities discovered in hidden and undocumented interfaces,” they were able “to harness GPS functions to locate cars, lock and unlock vehicles, and perform other malicious tasks”.

Linked above is just the first part of their research, but it’s definitely worth reading the entire report.

Hacking a car, in theory, may lead to dire consequences – it’s just too easy to imagine what real bad guys can do with a car they have hijacked remotely.

But remote access has several requirements: the car system should have an entry point with a “welcome, hackers” sign on it, this entry point should be connected to essential systems such as brakes, steering, or airbags. Miller and Valasek note in their research that in certain models of smart cars, so-called “viable attack points” – Bluetooth, telematics, radio – are isolated from the safety critical components, so that they even work on different computer networks. That’s apparently the safest possible architectural approach given cars are no longer the “closed boxes” they used to be.

Valasek and Miller’s research paper suggests that not all carmakers are equally cautious about the security of the networked components, but then again, so far the researcher’s work is theoretical. They acknowledge they have yet to attempt some actual remote hacks.

And while CNN makes some startling statements such as “The next generation of Audi and Tesla automobiles are connected to the AT&T network. Wires won’t be needed to hack them“, it is still a question of how viable the remote attack possibilities are.

But from the security point of view it is reasonable to assume that the cars are as eligible to be cybercriminal’s targets as any other critical systems, such as ICS. The situation is similar: a connectivity is being added to legacy equipment, putting it at risk for something that hadn’t been taken into account when this equipment was designed. To make things right, the equipment must be replaced with items that have security in mind from the ground up.

It’s the same with cars. Connectivity is great for users. It’s really convenient to command your car to block the brakes remotely; one day we will be able to command cars to park themselves. Google is actively working on a self-driving car, operated by AI.

Imagining AI getting remotely hacked feels like a re-enactment of the events in the 1977 thriller “The Car;” it’s a bit scary. Only the correct approach to automotive systems’ security can prevent scenarios of this kind from becoming a reality.

This “correct approach” includes possible “attack points” being brick-walled from any safety-critical components, a high-grade quality assurance and the possibility to update software in case of new flaw discoveries, among other things. It’s most important that the car on-board systems are designed with security in mind from day one.

Just like it should be with any system of critical importance. Our lives depend on it.