Security Experts:

Forget Carjacking, What about Carhacking?

Like all computers, automobiles can be hacked and compromised. As auto manufacturers continue to rush new features to market, security cannot continue to be an afterthought.

If you’ve watched Gone in Sixty Seconds or played the video game, you’ve seen how easily a car can be hotwired—especially older models. Just pry open the steering column, connect the battery wires and touch the starter wires together. Vroom!

Stealing newer vehicles isn’t nearly as easy. However, tech-savvy thieves have some surprising ways of getting it done. In fact, a growing number of vehicles today can be unlocked and started by a mobile phone or via the Internet. They can be disabled the same way. All that’s required is some system data and a password.

Hacking CarsIf you’ve looked at new cars recently, you’re no stranger to sticker shock. Automobiles are one of the largest purchases most people will make in their lifetime. Yet, as expensive as cars have become, today’s vehicles contain something far more valuable than the vehicle itself: The occupants’ personal information. Given the amount of personally identifiable data showing up in cars, carhacking is a crime that’s about to gain traction.

Computers on Wheels

Today’s cars sport a growing list of innovative features. Embedded devices control everything from engine and brake performance to safety and emissions. There’s even a new system that monitors driver alertness. If only we could make this a standard feature on all automobiles.

As impressive as these features have become, safety and reliability don’t sell cars anymore. Today’s digitally connected consumers crave state-of-the-art infotainment systems, social networking capabilities, hands-free mobile phone access—even in-vehicle Wi-Fi hotspots. Yesterday’s breakthroughs—built-in navigation systems and voice-activated controls—are standard equipment these days—not just in high-end cars, but in entry-level Fords as well.

Make no mistake, cars are becoming increasingly digitally powered, and this trend will continue. Consulting firm Frost and Sullivan estimates that cars will require 200 million to 300 million lines of software code in the near future. Unless you have serious skills in computer science and embedded systems, gone are the days of being able to work on your own car for anything but routine maintenance.

Put simply, cars have become sophisticated mobile computers. And like all computers, automobiles can be hacked and compromised. Interconnectedness with other embedded systems and cellular networking or Internet connectivity can also introduce security flaws that may become exploitable. As auto manufacturers continue to rush these new features to market, security cannot continue to be an afterthought.

Drive-by Hacking

Hacking Cars Electronics SystemsWhere personal information is available, there’s money to be made by cyberthugs. Onboard systems that provide access to email, voicemail, social networking and location-based media offer a treasure trove of valuable personal information—information that can be stolen and exploited for financial gain.

So just how secure is the personal information that resides in today’s digitally friendly vehicles? Security experts are taking a close look at this issue, and what they are finding is alarming. Last year, researchers at the University of California, San Diego and the University of Washington demonstrated that critical safety components of a vehicle can be hacked via Bluetooth access. In addition, researchers at the University of South Carolina and Rutgers University were able to mount attacks that tracked a vehicle and compromised passengers’ privacy. What’s surprising is how they gained entry to the vehicle’s control systems. New vehicles now contain RFID tags in the rims that transmit tire-pressure information to the car’s control systems. These signals can be intercepted at distances up to 40 meters. Researchers have proven that cyberthugs can use these and other wireless transmissions to hack into the car’s digital systems to compromise passenger privacy.

Even the police aren’t safe. One security expert was able to easily hack into onboard police cruiser systems, access dashcam video storage and copy and delete these files using basic FTP and telnet commands. What’s truly troubling is how easily this expert gained access to these systems—using a default password for the patrol car’s DVRs, which was readily available in support manuals found during a routine Internet search. Who is responsible for protecting personal information? Evidently a provider of aftermarket GPS systems figured it wasn’t his problem. He was caught recording driver behavior and selling it to Dutch police, who used the data to target speeding vehicles.

And what about the personal safety of drivers? Navigation systems and mobile phones can pinpoint a person’s location. Imagine the cyberstalking vulnerabilities that could be exploited by understanding a person’s behavior pattern, tracking their location and being able to remotely disable their vehicle. It’s scary, creepy—and yes—readily possible right now.

Where the Rubber Meets the Road

Protecting personal information has become a hot regulatory compliance topic. As the vulnerabilities we just discussed begin to be more widely exploited, it stands to reason that auto manufacturers who fail to protect both personal information and vulnerable safety systems could soon face expensive recalls and fines. Smart manufacturers will secure their customers’ vehicles before serious public safety issues and brand-damaging exploits can occur.

In fact, security will soon be a key differentiator in the new breed of intelligent automobiles. One proponent for strengthening automobile system security is Professor Christof Paar, chair for Embedded Security at the electrical engineering department of Germany’s University of Bochum. According to Paar, “Security will soon become an enabling technology for almost all innovations in cars. Most people would rather have malicious software running on their laptop than inside their car braking system. Thus, incorporating strong security solutions will give manufacturers a competitive advantage.

Getting a Handle on Carhacking

Here’s the good news: There’s no need to become digital roadkill. There are proven technologies available today that make it possible for automakers to secure the embedded devices that power these digital systems.

The best way to easily and cost-effectively protect embedded devices—in automobiles and other systems—is to implement a security solution that features application whitelisting and change control technologies. Whitelisting lets you create a dynamic set of applications authorized for the device. A whitelist can be built into the embedded system’s gold image and applied automatically to all devices being provisioned. As for change control, you can prevent any unwanted changes. For authorized modifications, you can track who changed what, where and when. All changes are logged and administers can be alerted.

Related Reading: Car Hacking: Researchers Highlight Emerging Risks and Lack of Security in Automobiles 

Related Reading: Attacks on Mobile and Embedded Systems: Current Trends

Related Reading: Introduction to Security for Smart Object Networks Devices

Subscribe to the SecurityWeek Email Briefing
view counter
Eric Schou is a Group Product Marketing Manager at McAfee. He is currently a part of the Security Management Group. Before joining McAfee, Schou spent more than 15 years in the security and storage industry.
view counter