The past several decades have seen immense technological change occur in all aspects of life as computers have moved from what some once considered a curiosity to becoming a ubiquitous part of everyday life. While computers and computing technologies are perhaps most identifiable in the form of desktop machines and hand-held mobile devices, even the venerable automobile has transitioned from an entirely mechanical device to one that relies on an array of electronic sensors coordinated by one or more microprocessors. For the 2014 and 2015 model years, some manufacturers touted the advent of wireless networking features. However these new networking and computer-based features may open the door to serious vehicle dangers.
While these advances in technology have permitted automakers to offer increasingly complex features designed to cater to the whims and comforts of vehicle owners, this technology is not without its own risks. While the benefits of digital technology in vehicles has been promoted extensively in advertisements, it seems that the security risks and attack vectors introduced by these new features have not been thoroughly considered.
In light of these concerns, Senator Markey launched an inquiry regarding the problems presented by unsecured computer systems on today’s cars and trucks. The study was conducted by submitting a letter containing a questionnaire to 20 auto manufacturers. The manufacturers included most major auto producers including:
- BMW
- FCA (Formerly Chrysler and Fiat)
- Ford
- GM
- Honda
- Hyundai
- Mercedes
- Toyota
- Volvo
Three manufacturers did not respond to the inquiry. The questionnaire inquired into how prevalent computerized technology is in vehicles, the steps taken to secure these systems, the steps taken to safeguard personally identifiable information, and known security breaches.
What are the Main Vulnerabilities and Security Risks Found in Modern Vehicles?
One of the most troubling revelations in the study is that nearly 100 percent of vehicles on the market today have at least one vulnerability that can be exploited to provide remote access to and control over the system. In the best case scenario, nearly any vehicle sold today could have a defect which would present only a privacy risk. In the worst case scenario, a malicious individual could remotely seize control of the vehicle causing the driver inconvenience or an car accident. To be clear, the odds of a vehicle being hacked while the driver is proceeding down the highway is extremely slim – but the possibility does exist.
However, and perhaps just as disconcerting as the previous revelation, are automakers’ apparent lack of preparation or even concern for this risk. When asked about vulnerabilities and exploits affecting vehicle’s computer systems, only 2 of the 17 responding automakers could describe the steps, measures or processes necessary to detect an attack in real-time. Troublingly, most automakers that responded to the question referenced methods and technologies that were either inapplicable or ineffective for the task.
Vehicle exploits have been achieved in the lab and in the wild
Chris Valasek, a security expert, characterizes a modern vehicle as nothing more than a “rolling computer”. As anyone who has used a computer can tell you, computers are susceptible to viruses, Trojans, malware and a variety of other attack methods. While security researchers have had decades to uncover attack vectors for traditional machines, we are still in the early days of exploits affecting vehicles. Some of the techniques developed for stationary systems will be effective, but the true risk will be presented once wireless networks come standard on every vehicle.
Consider the progress that has already been made. In 2013, in one of the first demonstrations that a vehicle could be hacked, Mr. Valasek was able to seize control over a Ford Prius and Escape by exploiting vulnerabilities in the vehicle’s communication network. This initial hack was accomplished by tethering a laptop to the vehicle via a standard communications cable. Then, in 2014, the era of remote vehicle hacking began in earnest. At the August 2014 Black Hat Conference Mr. Vaselek along with long-time collaborator, Charlie Miller, demonstrated a remote wireless attack that could seize control of some vehicle systems using nothing more than the car’s built-in Bluetooth, telemetry or WIFI connection.
Improperly Implemented Wireless Key Technology can Also be Exploited
At the same security conference another security researcher, Silvio Cesare, demonstrated the ability to spoof, or mimic, the unique wireless signal generated by a wireless key fob. This exploit can allow an attacker to unlock the vehicle doors and trunk without ever touching the vehicle. According to Cesare, “[The attack] effectively defeats the security of the keyless entry.” However this attack sounds to be of the brute-force variety due to the amount of time it can take to crack the key code – up to 2 hours in a worst case scenario. However, the attack can often unlock the vehicle doors within minutes and, absent changes by manufacturers, as wireless radio equipment becomes more accessible and advanced the amount of time required to try all possible combinations should quickly be reduced. Cesare also located a glitch in the security, or a possible backdoor installed by the manufacturer, that stops the codes from rolling through combinations and allowed him to unlock the vehicle with the same combination. Such an exploit could conceivably allow an attacker to gain access to the vehicle.
These exploit illustrate the rapid pace at which both technology and the methods t exploit it are advancing. While in the 2014 model year Bluetooth radios became standard for many vehicles, 2015 may represent the year where WIFI, LTE and other wireless communication technologies make major inroads in the auto industry. In fact, this year General Motors has launched vehicles equipped with 4G cellular radios known as OnStar 4G LTE. This system allows for users to tether their phone to their vehicle to save their cell phone data plan, but it is also likely exploitable.
Furthermore as more vehicles provide amenities such as in-vehicle entertainment consoles complete with application and web browser access, the number of potential attack vectors will only increase. If the means to hack your vehicle wirelessly isn’t already present in your vehicle, there is a strong likelihood that you next car or truck – like your Windows installation or web browser — will have at least one open, unpatched vulnerability. But while the extent of the damage wrought by in a traditional hack is largely in personally identifiable information or financial data, the consequences of a moving computer being hacked are much greater. Here, all the normal risks still exist with the added danger of severe bodily injury.
Security Concerns Must be Resolved Before Vehicle-to-Vehicle Communications Systems Become Mainstream
One of the most promising areas for improving vehicle safety is in the arena of vehicle-to-vehicle, or V2V, communications. As the name suggests, technologies of this type would allow vehicles to “talk” to each other which traveling on highways and other roadways. Ideally, the technology would allow vehicles to share information regarding its speed, positioning, direction of travel, proximity to other vehicles, traffic conditions and many other aspects of the traffic and road conditions. Sharing information of this type through a cohesive communication network would allow for better collision avoidance as the evasive actions of multiple vehicles could be coordinated in concert.
However, like the computer that is introduced to a network, introducing a vehicle to a communications network also opens that system up to the possibility of exploitation or intrusion. Malicious individuals may be able to obtain personal information, send inaccurate roadway data, control vehicles remotely or otherwise cause havoc on the roads. Thus prior to the widespread adoption of any technology that allows vehicles to communicate, secured, interoperable communications protocol and systems must be developed. The hope is that vehicle manufacturers will contribute to NHTSA’s request for comment on V2V systems and that they will not rush into integrating technologies of this type before they have been secured.
What are the Potential Solutions?
Developing solutions to these problems is likely to require the coordinated efforts of consumer advocates, security researchers, auto manufacturers, and government regulators. Consumer advocates and security researchers have already played a role in highlighting both the already existing vehicle security problems along with the potential new challenges that more the widespread installation of wireless access points are likely to create. However the Markey report identifies a number of guiding principles that should inform the further development of vehicles equipped with wireless technologies. These principles include:
- Ensuring that vehicles systems are tested by using known attack vectors and security penetration techniques. Testing should be done periodically to guard against dangers presented by new exploits.
- Like most computer systems, real-time protection against malware and intrusion attempts must be developed and implemented. Real-time protection systems would likely require regular updates to remain effective.
- Ensuring that wireless access points do not reside directly on the CAN bus and other infrastructural design considerations to better harden the system.
- Ensuring that drivers are aware of vehicles’ information collection systems and how automakers use the collected information.
- Ensure that drivers can securely erase all personally identifiable information on the vehicle including the destinations that the driver has regularly or frequently traveled to.
Securing networked vehicles against remote attacks should be first priority. If these systems are deployed widely without hardening them to security risks, we could see a repeat of the PC-world late 90s and early 2000s where as unhardened, networked systems proliferated, self-propagating malware followed. While the costs of these early security lessons were largely in the form site downtime and monetary damages, networking security breaches involving a car, truck or SUV will also be measured in the injuries and deaths inflicted.
Injured by a Vehicle Defect?
If you have suffered a serious bodily injury due to a dangerous vehicle defect, such as an unsecured or malfunctioning onboard computer system, you may be entitled to compensation. For more than three decades the auto defect and personal injury attorneys of The Reiff Law Firm have stood up against the major automakers and insurers. For a free and confidential initial consultation, call (215) 709-6940 today.