How Safe Are Cars From Hackers?

It’s an issue that the computer and Internet technology industry has been fighting for years: Hackers trying to gain access to your PC or the network of a major corporation with nefarious intentions such as extracting ransom from users after seizing data.

However, as vehicles become more laden with technology and increasingly connected to the Internet, could they also become targets?

Two leading security experts believe that your car, which is for the most part unsecured against hacking, will attract the attention of criminals in the not too distant future.

In the Internet technology world, this type of scenario is called ramsonware (Locky, CryptoLocker), but when it comes to an automobile, Stephen Cobb refers to it as jackware. Cobb and colleague Cameron Camp are IT security experts with a firm called ESET and they believe the possibility of jackware being used on vehicles is real.

“Right now, if you have physical access, getting your car to do strange things is not terrifically difficult at all,” said Camp, a malware researcher at ESET.

That can be done by plugging directly in to the Controller Area Network (CAN) bus, listening for the codes and then inputting codes of your own. Over-the-air hacks are a little more complicated, he said, but the CAN bus is a major weakness in connected vehicles.

“You have to rely on the car being connected across the Internet and you have to be able to … break through that system and go into the car,” Camp said. “That is tougher only because you have to cross the digital boundary between the infotainment system and the CAN bus.”

However, Camp says some infotainment systems already cross that boundary, which could eventually lead to problems.

A CAN bus helps connect the various systems and sensors on a vehicle. While they are built for reliability, they are not designed with IT security in mind, Camp said.

Cobb, a senior security research officer at ESET North America, believes that while jackware for vehicles remains theoretical at this point, it is a real threat that should be taken seriously.

“In terms of locking your car and demanding money to unlock it, I wouldn’t be surprised to see it within the next 18 months,” he said.

But he adds that depends on how much progress is made against ransomware or jackware on laptops and phones, which are now the primary targets of hackers trying to extort money from victims.

“Fortunately, there are a limited number of criminals and they will go for the easiest money first. So if we start to make progress stopping ransomware on regular computing devices, that would accelerate its shift, potentially, to other areas” such as vehicles, Cobb believes.

And Camp says once the hackers find a way into one particular car, millions of vehicles are at risk.

“The problem with cars … with very few exceptions, is once you find a vulnerability on a car, there is no way to easily remedy it. The whole industry doesn’t really know how to deal with that,” he said.

He said it’s time for consumers to start questioning how manufacturers are addressing this security threat and he believes awareness is what will make automakers react to the looming threat.

He likens the situation to what was happening with mobile devices five years ago, where nothing changed until consumers starting asking questions about what was being done to secure the platform against hacking.

Automakers have took a step in the right direction, the two men believe, when the Automotive Information Sharing and Analysis Center (Auto-ISAC) was formed in July 2015. Earlier this year, the Auto-ISAC released its cybersecurity best practices and that is fuelling hope that manufacturers are taking the issue seriously, Camp and Cobb said.

“It’s a good idea and they came out with a statement of principles, which all look very good,” Cobb said. “What’s difficult to assess is the levels to which this is being acted upon and the extent to which the philosophy behind cyber security will interact with the automotive approach to safety.”

He says the automotive industry is famous for the thought that if it costs more than a $1 to fix, then we will risk it.

Cobb notes that ISACs have been around for years in other industries and that automakers are late to the party. But he believes the move is a good one, adding that bug bounty programs at General Motors and Fiat Chrysler are also steps in the right direction.

He points to Ford’s announcement that it would introduce Apple CarPlay and Android Auto in all 2017 models as an example of how the trend toward connected vehicles is picking up speed and exposing more and more consumers to a possible threat.

“You are really sort of pushing this stuff out there and as the number of connected cars increases, then the potential to monetize – whether it’s through scareware messages or whether it’s through actually disabling the car — just sort of grows,” Cobb said.

For its part, Ford says it is aware of the possible threat posed to connected vehicles.

“We take cyber security very seriously by consistently working to mitigate the risk. We focus on the security of our customers before the introduction of any new technology feature by instituting policies, procedures and safeguards to help ensure their protection,” the company said in an emailed statement.

Cobb says Tesla built its cars so that they are easy to update remotely in a way that is “as far as we know, secure.”

He believes that is the direction most automakers should be taking.

The problem, however, isn’t just the cars, but the support infrastructure like websites that allow you to monitor and control settings on your vehicle.

Cobb cites reported vulnerabilities in the BMW ConnectedDrive website.

“That would have allowed you, then, to mess with the settings that someone has for their ConnectedDrive, which includes things like – if you have it connected – your home alarm system,” Cobb said.

For its part, BMW Group said it quickly remedied an issue that was reported on the www.BMW.de website. Similar vulnerabilities were also repaired on the UK and U.S. portals, spokesperson Hector Arellano-Belloc said.

“At no time was there any risk to a user who directly called up the BMW web portal. In order to exploit the weak point, the user would have had to click on a manipulated link which had been previously sent by a hacker, e.g. in an email, sent with the intention to defraud,” he wrote in an email.

“We have not received any indications that this weak point has been exploited. Customers of the BMW Group have therefore not sustained any loss or damage.”

Camp says more must be done to secure the networks surrounding connected cars before more functionality is added.

There are two separate networks that pose a risk: The network in the vehicle, the architecture of which is not very secure, and then you have the supporting structure, which is the internet, a system that has been shown to be insecure.

There is hope for a solution, Camp believes, now that the industry acknowledged the issue.

“I am really glad to see there’s finally a commitment … from the automotive folks,” he said. “Because that is where the buy-in starts. If you have the buy-in and you have the budget, then you can get there.”

While the threat of ramsomware and jackware is scary, there is an even more frightening possibility as cars become more connected and, eventually, autonomous: taking over a car for malicious purposes while it is in motion.

Cobb believes that until we see self-driving vehicles on the road, the likely reason for most car hacking will be greed.

“The dimensions of threats are interesting,” Cobb said. “The number of people who would want to maliciously hack a car to kill someone is probably smaller by magnitudes than the number of people who would like to make money off people who have cars.”

Cobb sees locking the car for ransom as phase 1 of the threat from hackers, while taking over and actually controlling the car remains difficult at the moment.

“The extent to which the physical control be abused is, I think, a function of the autopilot capabilities,” he said, with the threat level increasing the closer we get to self-driving cars.

While talk of such hacks remains mostly hypothetical at this point, “everything we have seen about technology exploitation in the past indicated that this is where we are headed.”

As you add functionality, people will start to target that, Cobb said.

“The attack surface expands and the potential for monetization and abuse increases,” he said.

The attack surface is the number of points that a hacker can use to try and access the system, so the more technology on a vehicle, the greater the risk.

Cobb believes it’s not irresponsible to speculate about a self-driving car being taken over for malicious purposes.

“Why wouldn’t that happen? Why wouldn’t people do that? And what is being done to prevent that from happening?” he wondered.

Cobb said he has real reservations about self-driving cars, and the hacking threat is just one of the issues he sees.

“There are big areas of concern around self-driving cars,” he said. “There’s the ethics … the legal question of who has got the responsibility and then you do have the hacking side of it. They are clearly going to be, as in any new device, a target.”

Camp says he is often asked how wise it is to have all this technology in vehicles given the security concerns.

“We are asked all the time that if the biggest companies in the world can’t figure this out, is this the best time to push this all out to an automobile, which have the potential of real kinetic damage,” he said. “It’s a fair question.”

“Are we ready to go full press in automotive, with basically almost no security?”