As cars become ever more connected, security experts are warning of a new form of cybercrime: car hacking. Here, Rachel Boagey questions whether the latest buzz word for safety worries in the ‘smart’ car is a problem
When ‘hacking’ is brought up in conversation, we invariably imagine a traditional computer system, wired up to a wall, infected by a virus usually downloaded from the internet. However, as the connected car becomes more intelligent, and OEMs pursue both autonomous and semi-autonomous functions, car hacking is starting to be considered a real security threat.
Hacking occurs when the car’s computer system is accessed illegally via its connectivity functions. The outcome could be anything from data and/or vehicle theft to vital safety functions being deactivated.
Take the example of Megamos Crypto: this security system is used by several luxury brands in the Volkswagen Group, including Audi and Porsche, to pair a key with each car. It works through a coded algorithm transponder built into the car’s keys, which uses radio-frequency identification (RFID) to transmit an encrypted signal which in turn activates and deactivates the vehicle’s immobiliser system. Previously presumed safe, Megamos Crypto was hacked this year by a UK-based computer scientist, who has since been banned from revealing the compromising codes by High Court injunction – at the risk of millions of vehicle thefts if the material was to be published.
But, said Alex Fidgen, Director at IT security company MWR InfoSecurity, vendors are unwise to block security research: “they should work together with researchers to understand the nature and potential consequences of the threats they are facing.
“It is feasible that an exploitation of any number of embedded devices within a car might allow an attacker to gain control. For instance, this would have serious consequences if the brakes were applied at high speed.”
Indeed, veteran hackers Charlie Miller and Chris Valasek recently discovered a way to force a 2010 Toyota Prius to stop suddenly at high speeds or accelerate without the driver’s foot even being on the gas pedal. Likewise, they claim to be able to disable the brakes of a 2010 Ford Escape at very low speeds. The duo had to be seated in the car with their laptops hardwired into the vehicle to access the car’s system, but it is nevertheless a worrying fact for OEMs – not to mention drivers.
Remaining stoic, Ford responded to the hacking by saying that since the attack was not “performed remotely” but required “highly aggressive direct physical manipulation of one vehicle over an elongated period of time,” and it most likely did not pose “a risk to customers and any mass level”.
Despite this, Fidgen commented, “Manufacturers do not seem to have considered the security threat when using embedded computer systems. Cars are becoming increasingly more computerised, particularly supercars which sell for hundreds of thousands. But not enough thought appears to have gone into securing the systems which leaves the cars wide open to theft and the misuse of computer information.”
Privacy goes public
Safety is not the only concern here: a team at the University of South Carolina and Rutgers, found that, using the RFID tags in tyre pressure monitoring system, a car’s journey could be tracked, compromising the driver’s privacy. In a similar investigation in 2011, researchers from the University of California, San Diego, and the University of Washington were able to use Bluetooth and Wi-Fi to hack into a vehicle’s connectivity systems from a limited distance. The latter group decided to withhold details of which cars they were able to “own” for fear of the knowledge would be used by criminals.
However, that is not to say that any great amount of data would necessarily be stored in the car – as it would on a computer or smartphone, available for hackers to access. Speaking to Autoline, Nick Cohn, Senior Business Developer at TomTom reassured that “All of our systems are engineered so that there is no individual information or connection possible by anybody externally or even internally. [Security] is high on the list but more in terms of protection than specifically hacking.”
In truth, some compromises might be necessary to achieve the effective operation of safety and security functions. In August 2012, a Harris Poll of US drivers saw 76% expressing fears about connected vehicles, with 62% concerned that connectivity might compromise their privacy through, for example, monitoring where they drive and having insurance premiums increased through insurers monitoring their driving habits. While signing up for pay-as-you-drive, or pay-how-you-drive, policies is optional, if the security of GPS data cannot be guaranteed, surveillance may be possible. The fact that TomTom reportedly sold driver behaviour data to Dutch police, helping the latter target locations where there were often speeding vehicles, will be of no comfort to those concerned about privacy – despite the fact that the TomTom data did not actually identify individual vehicles.
The potential danger of car hacking and its use by criminals has not been lost on law enforcement bodies in both Europe and the US. The National Highway Traffic Safety Administration (NHTSA) has launched a cyber-security research programme investigating car hacking, and hopes to set up a taskforce focusing on V2V technologies which share information such as traffic conditions to other drivers.
Regardless, it seems that even the existing technology which drivers take for granted – such as remotely unlocking a car – is still a cause for concern. If cars can be hacked into by researchers like Garcia, the concern that real life hackers with malicious intentions will have no problem accessing vehicle control systems is completely founded. But, given that the most successful attempt so far was by two experts who were inside the vehicle, OEMs like Ford are safe for now with a relaxed attitude.
But, warned Fidgen, now is the time to start working on connectivity security. “Car manufacturers continually try to upstage each other with the latest computer gizmos for vehicles. They are on a never-ending treadmill to try and keep ahead and offer their customers the latest technology. However, they now need to take a step back and look at how security should be embedded into that technology.”
Rachel Boagey
