Unsafe at any speed? Cars ripe for hacking, report says.
- By Kevin McCaney
- Sep 08, 2011
Automakers in recent years have been loading up their vehicles with enough high-tech features to make George Jetson feel at home.
In addition to parallel-parking for you or detecting when you drift out of your lane, they’ll let you start them up from your smart phone, automatically play your favorite tunes and read your Facebook updates to you.
A car these days can be just another node on your personal network. But all of this connectivity and software-driven convenience also can leave your vehicle open to cyberattacks.
Highway safety chief: Car not a ‘mobile device’
A report released Sept. 7 by security company McAfee described ways in which the embedded systems and wirelessly networked features in cars can be exploited to track, disable or take control of a vehicle, and how personal information on connected devices such as smart phones or tablets could be exposed.
And although there haven't been reports of any significant cyberattacks on vehicles so far, the burgeoning number of networked features are making them an attractive target for attack, the report states.
The potential exists for anything from pranks to information theft to, conceivably, turning off safety functions.
For example, the report says, researchers from the University of California-San Diego and the University of Washington last year developed software they called “CarShark,” which they used to hack into a car’s safety components via a laptop. At first, the team needed physical access to the car, but they later remotely staged attacks via Bluetooth.
Another research team showed how radio-frequency identification tags inside tires, which send sensor data wirelessly to the vehicle, could be exploited to track a vehicle.
The report also cited an incident in Austin, Texas, where a laid-off employee of a car dealership tapped into the dealership’s system and remotely disabled 100 cars while also setting off their horns.
Embedded systems, however, could only be the tip of the iceberg when it comes to automotive vulnerabilities. The report, which McAfee produced with mobile software maker Wind River and embedded security provider Escrypt, points out that cars are increasingly being connected via the Internet to the mobile applications that people don’t leave home without.
That opens the door for malware to be downloaded to cars’ infotainment systems and, by extension, any device that connects with the car. And security experts have been saying for some time that mobile applications are likely the next big focus for cyber-attackers.
The evolution of automobiles into infotainment centers isn’t popular with everyone. In June, National Highway Traffic Safety Administration Chief David Strickland, citing the dangers of distracted driving, spoke out against what he called unsafe entertainment and social media features in cars.
But his could be a voice in the wilderness. Beyond personal entertainment and Global Positioning System navigation, vehicles are increasingly being connected for everything from fleet management and municipal pothole reporting apps, to use as rolling weather sensors. The McAfee report also cites ongoing research into developing driverless cars, for uses such as taxis in Las Vegas.
The report calls for greater emphasis on the security of on-board computer systems, from both manufacturers and consumers, and offers consumer tips on what to look for with regard to GPS systems, Bluetooth security, on-board storage and other factors.
As with other forms of mobile computing, responsibility for security will increasingly fall to the users. And buying a new car will involve more than just kicking the tires.
Kevin McCaney is a former editor of Defense Systems and GCN.