By on August 25, 2016

Jeep with "data" overlay, Image Source: FCA

It’s an issue that the computer and Internet technology industry has been fighting for years: Hackers trying to gain access to your PC or the network of a major corporation with nefarious intentions such as extracting ransom from users after seizing data.

However, as vehicles become more laden with technology and increasingly connected to the Internet, could they also become targets?

Two leading security experts believe that your car, which is for the most part unsecured against hacking, will attract the attention of criminals in the not too distant future.

In the Internet technology world, this type of scenario is called ramsonware (Locky, CryptoLocker), but when it comes to an automobile, Stephen Cobb refers to it as jackware. Cobb and colleague Cameron Camp are IT security experts with a firm called ESET and they believe the possibility of jackware being used on vehicles is real.

“Right now, if you have physical access, getting your car to do strange things is not terrifically difficult at all,” said Camp, a malware researcher at ESET.

That can be done by plugging directly in to the Controller Area Network (CAN) bus, listening for the codes and then inputting codes of your own. Over-the-air hacks are a little more complicated, he said, but the CAN bus is a major weakness in connected vehicles.

“You have to rely on the car being connected across the Internet and you have to be able to … break through that system and go into the car,” Camp said. “That is tougher only because you have to cross the digital boundary between the infotainment system and the CAN bus.”

However, Camp says some infotainment systems already cross that boundary, which could eventually lead to problems.

A CAN bus helps connect the various systems and sensors on a vehicle. While they are built for reliability, they are not designed with IT security in mind, Camp said.

Cobb, a senior security research officer at ESET North America, believes that while jackware for vehicles remains theoretical at this point, it is a real threat that should be taken seriously.

“In terms of locking your car and demanding money to unlock it, I wouldn’t be surprised to see it within the next 18 months,” he said.

But he adds that depends on how much progress is made against ransomware or jackware on laptops and phones, which are now the primary targets of hackers trying to extort money from victims.

“Fortunately, there are a limited number of criminals and they will go for the easiest money first. So if we start to make progress stopping ransomware on regular computing devices, that would accelerate its shift, potentially, to other areas” such as vehicles, Cobb believes.

And Camp says once the hackers find a way into one particular car, millions of vehicles are at risk.

“The problem with cars … with very few exceptions, is once you find a vulnerability on a car, there is no way to easily remedy it. The whole industry doesn’t really know how to deal with that,” he said.

He said it’s time for consumers to start questioning how manufacturers are addressing this security threat and he believes awareness is what will make automakers react to the looming threat.

He likens the situation to what was happening with mobile devices five years ago, where nothing changed until consumers starting asking questions about what was being done to secure the platform against hacking.

Automakers have took a step in the right direction, the two men believe, when the Automotive Information Sharing and Analysis Center (Auto-ISAC) was formed in July 2015. Earlier this year, the Auto-ISAC released its cybersecurity best practices and that is fuelling hope that manufacturers are taking the issue seriously, Camp and Cobb said.

“It’s a good idea and they came out with a statement of principles, which all look very good,” Cobb said. “What’s difficult to assess is the levels to which this is being acted upon and the extent to which the philosophy behind cyber security will interact with the automotive approach to safety.”

He says the automotive industry is famous for the thought that if it costs more than a $1 to fix, then we will risk it.

Cobb notes that ISACs have been around for years in other industries and that automakers are late to the party. But he believes the move is a good one, adding that bug bounty programs at General Motors and Fiat Chrysler are also steps in the right direction.

He points to Ford’s announcement that it would introduce Apple CarPlay and Android Auto in all 2017 models as an example of how the trend toward connected vehicles is picking up speed and exposing more and more consumers to a possible threat.

“You are really sort of pushing this stuff out there and as the number of connected cars increases, then the potential to monetize – whether it’s through scareware messages or whether it’s through actually disabling the car — just sort of grows,” Cobb said.

For its part, Ford says it is aware of the possible threat posed to connected vehicles.

“We take cyber security very seriously by consistently working to mitigate the risk. We focus on the security of our customers before the introduction of any new technology feature by instituting policies, procedures and safeguards to help ensure their protection,” the company said in an emailed statement.

Cobb says Tesla built its cars so that they are easy to update remotely in a way that is “as far as we know, secure.”

He believes that is the direction most automakers should be taking.

The problem, however, isn’t just the cars, but the support infrastructure like websites that allow you to monitor and control settings on your vehicle.

Cobb cites reported vulnerabilities in the BMW ConnectedDrive website.

“That would have allowed you, then, to mess with the settings that someone has for their ConnectedDrive, which includes things like – if you have it connected – your home alarm system,” Cobb said.

For its part, BMW Group said it quickly remedied an issue that was reported on the website. Similar vulnerabilities were also repaired on the UK and U.S. portals, spokesperson Hector Arellano-Belloc said.

“At no time was there any risk to a user who directly called up the BMW web portal. In order to exploit the weak point, the user would have had to click on a manipulated link which had been previously sent by a hacker, e.g. in an email, sent with the intention to defraud,” he wrote in an email.

“We have not received any indications that this weak point has been exploited. Customers of the BMW Group have therefore not sustained any loss or damage.”

Camp says more must be done to secure the networks surrounding connected cars before more functionality is added.

There are two separate networks that pose a risk: The network in the vehicle, the architecture of which is not very secure, and then you have the supporting structure, which is the internet, a system that has been shown to be insecure.

There is hope for a solution, Camp believes, now that the industry acknowledged the issue.

“I am really glad to see there’s finally a commitment … from the automotive folks,” he said. “Because that is where the buy-in starts. If you have the buy-in and you have the budget, then you can get there.”

While the threat of ramsomware and jackware is scary, there is an even more frightening possibility as cars become more connected and, eventually, autonomous: taking over a car for malicious purposes while it is in motion.

Cobb believes that until we see self-driving vehicles on the road, the likely reason for most car hacking will be greed.

“The dimensions of threats are interesting,” Cobb said. “The number of people who would want to maliciously hack a car to kill someone is probably smaller by magnitudes than the number of people who would like to make money off people who have cars.”

Cobb sees locking the car for ransom as phase 1 of the threat from hackers, while taking over and actually controlling the car remains difficult at the moment.

“The extent to which the physical control be abused is, I think, a function of the autopilot capabilities,” he said, with the threat level increasing the closer we get to self-driving cars.

While talk of such hacks remains mostly hypothetical at this point, “everything we have seen about technology exploitation in the past indicated that this is where we are headed.”

As you add functionality, people will start to target that, Cobb said.

“The attack surface expands and the potential for monetization and abuse increases,” he said.

The attack surface is the number of points that a hacker can use to try and access the system, so the more technology on a vehicle, the greater the risk.

Cobb believes it’s not irresponsible to speculate about a self-driving car being taken over for malicious purposes.

“Why wouldn’t that happen? Why wouldn’t people do that? And what is being done to prevent that from happening?” he wondered.

Cobb said he has real reservations about self-driving cars, and the hacking threat is just one of the issues he sees.

“There are big areas of concern around self-driving cars,” he said. “There’s the ethics … the legal question of who has got the responsibility and then you do have the hacking side of it. They are clearly going to be, as in any new device, a target.”

Camp says he is often asked how wise it is to have all this technology in vehicles given the security concerns.

“We are asked all the time that if the biggest companies in the world can’t figure this out, is this the best time to push this all out to an automobile, which have the potential of real kinetic damage,” he said. “It’s a fair question.”

“Are we ready to go full press in automotive, with basically almost no security?”

Get the latest TTAC e-Newsletter!

13 Comments on “How Safe Are Cars from Hackers?...”

  • avatar

    Firstly let me say that “IF YOU PUT A HELLCAT IN IT, IT WONT GET HACKED”. Secondly, good article. It was informative and lets us know that this is real and will become more real the closer that we get to autonomous driving as well as more complex autos.

    Its been a rule for about 20 years in computers now that the more complex something becomes the easier it breaks and to be broken into. With everything from medical records to bank accounts to school records online its just a larger target.
    I have made it no secret that I dont care or trust autonomous vehicles however I don’t condemn those that want this. I have an issue with the folks that believe that its the answer to all the ills of American roads. They IMO believe that it should be the standard and replace in their opinion all of the “poor drivers” on the road.

    OK back to the article. It does a good job of not taking sides or the appearance of an agenda. I enjoyed it because it makes the reader aware of the threat. Hell even my fridge is connected to the internet.

    • 0 avatar

      “Hell even my fridge is connected to the internet.”

      Christ, the new CPAP I just got when my old one fritzed is connected. Every morning it snitches on my sleep pattern.

      I’m supposed to create an account with the tracking site to help them “assure compliance”. Haven’t done it yet. I may just keep forgetting to.

    • 0 avatar

      I believe the only OEM that suffered a significant compromise also made the Hellcat, so that kind of torches that.

      But you’re right about the atrocious security of the internet of things. It’s hard enough for people & companies who do have a vested interest in keeping things secure to do so—so what incentive to do better is there for companies whose focus is on moving metal?

  • avatar

    I haven’t had time to read the article, but my gut reaction to the headline is that cars from hackers would not be particularly safe.

    • 0 avatar

      Ok.. that was a good one. But then again how safe would a car sold by Apple, Google or Samsung be? They all would be tracking you and selling your information.

      • 0 avatar

        Tech companies have more experience with hackers than traditional car companies. And within tech companies, there are differences. With Apple, you own your data. With Google, you still own your data, but Google bots can access it to tailor advertising to you.

        As for tracking, it’s a good thing when monitoring traffic. It also makes a good deterrent against theft. I can only hope you can turn off tracking as easily as you can turn off ESC / Traction Control.

        But absolutely, whether cars from traditional companies, tech companies, or hackers (haha), they are all a ripe target.

  • avatar

    The point of ransomware on a computer is not to lock up the hardware, but to lock up the data. If somebody was to remotely lock up my car, the ransom they demand had better be less than the cost of having the dealer wipe and reinstall the software.

    I’d worry a lot more about someone trying to cause an accident for the lulz than someone rendering the car inoperable.

  • avatar

    “That can be done by plugging directly in to the Controller Area Network (CAN) bus, listening for the codes and then inputting codes of your own. Over-the-air hacks are a little more complicated, he said, but the CAN bus is a major weakness in connected vehicles.”

    This isn’t likely to get better any time soon. The kind of overhead you’d require to completely secure the system is cost-prohibitive and somewhat failure prone. It could also fall afoul of Magnusson-Moss.

    You would have to have each autonomous system (ECU, BCMs, the ICE) in an car authenticate each other via some sort of key exchange, and you would need to ensure that each of those components is hardened against exploits. It would be akin to how your iPhone asks “Trust this computer?” when you connect it.

    You can see the issue right away: even in IT, many systems don’t mutually authenticate, and almost nothing that physically connects does so (HDMI and the iPhone are the only examples I can think of). When was the last time you were asked to authenticate a USB thumb drive? Because it’s trivial to build other devices into a thumbdrive-sized package and have those compromise your computer.

    The best the industry can hope for is addressing the low-hanging fruit:
    * Physical security is impossible; if someone can open your car, you’re done for, and all you’ll do is piss off legitimate users. Stop trying to secure CAN end-to-end.
    * Don’t re-invent the proverbial wheel. If someone else has a secured stack for, eg, remote control, then use that. Bluetooth already has a secure key-exchange built into it–use that.
    * Do firewall the systems that have external connections, like the ICE or the RF interface.
    * Don’t connect the car to the public internet; use a VPN and/or make arrangements with telcos to use a private APN or some other kind of carrier VPN.
    * Don’t connect the systems that connect to cars to the internet. Air-gap them.

    • 0 avatar

      To psarhjinian’s point (and several other’s), the best offense is your own defense. No matter how much automakers (and others, such as Apple, Microsoft, etc) pour money, time, effort into security issues, the hackers are always ahead of the game.

      Therefore, I do agree with the people quoted in the article that first line of defense is to not have it in the car, period; or at least make it optional. This way, users can have a choice just how much their car is available to the wireless world Methinks half the reason automakers include this stuff standard is to make their own lives easier, for remote diagnostics and such.

      Next, users should not enable most if not all the connectivity features if they are not sure how secure they are. To wit, I have a 2015 Ford branded product, and I have not enabled SYNC yet. Yes, the functionality is very limited… but it also means my car is not connected to the Ford mothership nor the internet, so the only chance for hacking/intrusion is to break into the car itself. If a hacker was going to do that, they would be better off just stealing it, as it is really hard to not know your CAN bus was hacked if you keep your car locked and the windows up….most hackers are not yet also car thieves.

      • 0 avatar

        I have a theory. I think it might be easier to hack an older car – let’s say one from the sixties.

        If I remember correctly, on those cars you could easily open the hood open without having to break into the car. First, you’d have to develop a kit that could be quickly installed. Probably a linear actuator to attach to the throttle linkage and then something to fire the front brakes individually to steer the car. Maybe build it from a modern ABS motor and pump unit. Tie the whole kit to a cellular modem and you’re in business. So, pop the hood, then mount and attach the linear positioner to the throttle and splice the abs pumps into the brake lines. Probably a lot easier than hacking a modern car.

  • avatar

    Wait, what? Hacking the car while driving along? Lets get a few things straight…

    Keyless operation of cars means your car can be stolen by anybody who has a hacked “radio” that can listen to the fob. There might be some “encryption”, but it is likely more “cereal box” stuff instead of the easily available professional crypto level stuff. Remember that scene in Top Gear where they drove half a block with captain slow’s car? I somehow doubt that was one of the many fake scenes in that show.

    On the other hand, it isn’t like old fashioned car keys weren’t all that easy for thieves to get around either. The same guys interested in cracking locks and safes are the same ones looking for weak crypto over RF.

    As far as “OMG hacking!” what are you afraid of? Wide spread attacks where cars suddenly do crazy things (in these parts, we call that “the beltway”)? Drivers fed up with cars not getting out of their way and pressing the “let the emergency car get through” button (or simply swerve you into a ditch)? Outright theft is too easy and doesn’t require “hacking”.

    Look deeper and I’m willing to bet this whole hysteria is caused due to complete ignorance (I don’t think there is *anything* in computers more hated, misunderstood nor misused than security) and the inevitable desire to remove all possible consumer modifications from cars (for reasons of safety, emissions, but mostly to make sure as much money flows to corporate headquarters).

  • avatar

    I read that Singapore’s government is disconnecting their offices from the internet. Experts said that was pretty drastic, but they all said it would be effective to prevent hacks.

Read all comments

Recent Comments

  • namesakeone: I did purchase extended warranties on my last two used cars. Within two years they paid for themselves....
  • namesakeone: I did purchase extended warranties on my last two used cars. Within two years they paid for themselves....
  • MrIcky: If it’s the rumored i4, then this might not be such a bad thing. The 2.7 has lots of hp and torque and...
  • ttacgreg: Indeed. A car that is a car, rather than a computer that just happens to be a car. I suspect that it is all...
  • ttacgreg: Indeed. A car that is a car, rather than a computer that just happens to be a car. I suspect that it is all...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Jo Borras
  • Mark Baruth
  • Ronnie Schreiber