The more advanced vehicles become, the bigger the security vulnerability
From automated vehicles to connected cars, as advanced vehicles with complex computer systems hit the road, hackers will be there waiting for them.
Today’s vehicles have reached a level of technical sophistication never seen before, and many include wireless technology as a standard feature. They also rely more and more on computers to offer an improved driving experience. However, as two bold and curious hackers found out — for the second time — computerized car technology could become fatal in the wrong hands, thanks to innovative and observant hackers.
Hacking a computer system has become so common that we accept it as a way of life. It has grown to the point that it cyber security is now a point of national security. As it turns out, the threat of hacking could lead directly to your death.
The Dark Side of Connected Technology
In 2015, Charlie Miller and Chris Valasek contacted Wired in order to demonstrate what car hackers could do to some of today’s modern cars. They used a 2014 Jeep Cherokee as their test case and remotely hacked into the vehicle’s system to cut the transmission while a reporter drove on a major interstate. Just to add a little more terror to the drive, they also disabled the brakes.
The hackers took control of the vehicle using nothing more than an internet-connected laptop, which they then used to attack the car’s diagnostic system. Thankfully, Miller and Valasek presented their findings to the automakers rather than keeping it to themselves. Fiat Chrysler Automobiles was a little embarrassed, but it quickly fixed the security vulnerability. If technology has proven anything, however, it’s that no system us completely safe.
To help further prevent hackers from killing its customers, the automaker even made went so far as to announce that it would pay hackers bounties, ranging from $50 to $1,500, for uncovering further security flaws.
If technology has proven anything, however, it’s that no system is completely safe.
New tech, new hacks
Miller and Valasek once again elected to test the security of the same type of 2014 Jeep, although this one had the patch. That helped, but the duo still managed to find significant vulnerabilities.
While the previous hacks were conducted remotely over the internet, the current round of attacks need to connect to the vehicle’s control area network (CAN) bus, via a port located under the dashboard. So if someone wants to hack a car, it’s no longer as easy as just driving by, they need to physically breakintoo that automobile. Nevertheless, the results of Miller and Valasek’s tests show how at-risk wireless-enabled and computer reliant cars are, even with the subsequent security patch. There is always a new vulnerability waiting to be found, and the more complex the automobiles get, the more vulnerabilities will emerge.
Last year, the pair discovered that when compromising a vehicle through the diagnostic system, they could disrupt the transmission on a highway – which could be unsettling, but mostly just killed the car. They could manipulate the brakes, which in theory could cause a fatal crash, but they could only do that at speeds of five miles an hour or lower. This time, using the new approach of connecting through the car’s CAN bus, they were able to manipulate the steering of that same Jeep – even with the security patch – while it was moving at full speed.
To demonstrate how dangerous this could be, the pair focused on the vehicle’s steering column and targeted the engine control unit. They sent signals via the Jeep’s adaptive cruise control mechanism that disabled the power steering, then turned the car while activating the emergency brakes. If someone did that to a car at speed, it could send that car into oncoming traffic, or even force it to completely flip over. Neither would be particularly good for the occupants of the car and could easily lead to a fatality.
There are many ways dedicated hackers might adversely affect these connected cars, and the difference with this most recent hack is that it happened when the hackers were inside the vehicle, rather than controlling things remotely.
The Hacks Aren’t Easy to Pull Off
Miller and Valasek recently announced they’ve halted their car hacking efforts for good. The pair admitted that, because the hacks were so time-consuming to pull off, it’s unlikely hackers would begin to target cars on a widespread basis. Even so, the fact that it’s possible to orchestrate such stunts is surely enough bait for hackers interested in capturing headlines and gaining notoriety.
The difficulty in pulling off such hacks might even attract hackers who love the challenge of cracking something that seems initially impenetrable. Like, say, an ATM.
It’s also important to realize that, although Jeep has been most often linked to car hacking recently, it is more a consequence of technology rather than a slight against one particular automaker. Hackers recently made international news when they were also able to infiltrate the system of the Mitsubishi Outlander Hybrid. That project was another remote hack, and it drained the car’s battery, controlled the lights, allowed the hacker to disable the car’s alarm system, and ultimately let him get inside the car.
The duo have even created a list of the nine vehicles they deem most hackable, but it is far from a comprehensive list. It does include vehicles from manufacturers located all over the world, so it is not a regional problem either.
Are Automakers Responding Appropriately?,
Besides implementing a security patch, the Fiat Chrysler ordered Sprint not to send TCP/IP traffic to its vehicles, which otherwise would in theory, leave it open to attacks over the internet. However, many people are wondering if those fixes are sufficient.
Despite the company’s offer to pay people for finding security flaws, the now-famous Jeep hackers said they did not receive a warm reception from automakers. Although it’s undoubtedly frustrating for manufacturers to deal with the recalls and bad press associated with security breaches, they must be proactive and err on the side of caution instead of merely letting hackers find problems and report them for payment. With more and more cars moving towards a form of autonomous driving, that increases the amount of computerized technology incorporated in the vehicle – which means there are more potential ways to hack it.
Turning to the public for help in uncovering security shortcomings is a great first step. But since automakers are now aware of some of the ways hackers may control wireless vehicles, they must stay one step ahead of them by performing periodic in-house tests and recruiting top security personnel to give them the scoop about potential new hacking strategies. They must also be willing and able to upgrade the car’s security, even indefinitely.
Ten years from now, the odds are that hackers will have the technology to easily crack the level of security being used on vehicles like the 2014 Jeep. Cars can frequently remain on the road for 20 or 30 years, meaning there will potentially be thousands of vehicles on the road in a decade or less that could be open to hackers.
As it stands, it seems the sky’s the limit when it comes to what a hacker could do to a car, whether that’s getting inside it to steal something or controlling how it moves along the highway. If car manufacturers genuinely care about the public’s safety, not to mention the integrity of their brands, they must take decisive action while designing car wireless systems, and robustly and regularly test them to reveal vulnerabilities.