Computer security companies and researchers have dedicated a lot of time and money to testing the virtual padlocks on your online accounts. Some are now focusing on a new threat vector: your car. “Hacking into your banking account and stripping your identity from your account is a big issue,” says Jack Pokrzywa, director of ground vehicle standards for SAE International in Troy, Mich., an automotive trade group that develops industry guidelines. “This happens to be a moving object.”
And it’s one that can be infiltrated with distressing ease, according to recent studies. Researchers led by Stefan Savage at the University of California, San Diego and Tadayoshi Kohno at the University of Washington succeeded in infiltrating automotive computer systems that are standard in every new car and truck. In lab and road tests, they found ways to activate a car’s brakes, stop its engine, and control lights and locks, all remotely. The findings have “raised the alert” of the industry, says Pokrzywa.
SAE formed a committee in March that is drafting new standards to provide greater security. They’ve established no timeline for completing the task. The Transportation Dept., which mandates some of the equipment researchers have exposed as vulnerable, has said it may revise its approach to regulation and testing. “Cybersecurity is an important industry issue,” says Dan Flores, a General Motors (GM) spokesman. “We are focused on equipping our vehicles with both the features and the security protections our customers want and need.”
Savage and Kohno started investigating car security two years ago, when they observed that cars were starting to look more like computers. “There are almost always security implications” when that shift happens, says Savage. Since 1996, regulators have required that all cars include an onboard diagnostic system to monitor engine performance and emissions controls. Since 2008, all new autos must include a controller area network, an electronic device that allows various car systems, such as antilock brakes and electronic steering, to communicate. On top of this, automakers have layered more computers in the form of audio systems, hands-free phone controls, and so-called telematics systems that provide navigation and emergency assistance, such as GM’s OnStar and Ford Motor’s (F) SYNC.
Savage and Kohno found that once they had access to part of a car’s innards, they could take over key functions. Their original research, published in May 2010, required plugging a laptop into a car’s diagnostic port, usually located beneath the driver’s dashboard, to gain control. Savage says that study was marginalized because the attack required physical access. At that point, “you may as well just cut the brake lines if you’re intending to do damage to the vehicle,” says Andy Gryc, a developer and designer for Research In Motion’s (RIMM) QNX division, which makes vehicle software such as the noise cancellation program in Fiat 500 cars.
A second study, presented in August, illustrated the myriad ways hackers could take over a vehicle without going anywhere near it. Savage and Kohno showed they could infiltrate test cars by attacking the Bluetooth connection used in hands-free phone systems, the computers used by mechanics, and by dialing the cellular number in telematics systems. Once connected, the team had control over most of the vehicle, including its engine and brakes. In one test, Savage’s students in San Diego hacked a test car in Seattle. They remotely unlocked the doors, turned on the engine, and sent the car’s GPS coordinates to Kohno’s students, who hopped in and drove away. Researchers at other universities have shown similar vulnerabilities, including ways to exploit keyless entry systems and wireless tire pressure monitors.
Savage and Kohno say it’s possible to make autos more secure by methods such as encrypting data. But security is “a moving target,” says SAE’s Peter Byk, a staff engineer. As automakers try to fill holes, they’re simultaneously adding new equipment and features. “You put up one brick wall, and the hackers can work around it,” Byk says.