Will the next victims of computer hackers be motorists?
The risk is real, not only possible but plausible, given the vulnerability of the 250 million or more cars, trucks and buses currently operating in the U.S. alone, all computer-controlled to a significant degree.
“Wherever there is a computer, there is a threat,” Chris Preuss, president ofCo.’s OnStar operations, tells Ward's.
“It's a big threat,” agrees Phil Magney, vice president-Automotive Practice at Minnetonka, MN-based telematics and electronics consultant iSuppli. “The automotive systems will be vulnerable if measures are not taken.
“It is not a question of if, it is a question of when something happens, and it could be bad.”
Industry insiders say a recently released study, “Experimental Security Analysis of a Modern Automobile,” compiled by two teams of computer scientists at the University of California San Diego and the University of Washington, is an accurate assessment of vehicle vulnerability.
In a series of experiments performed for the study, the university teams demonstrated the relative ease with which anyone with computer savvy can bypass the rudimentary security protection of a vehicle’s computer network and, as the study puts it, “adversarially control a wide range of automotive functions and completely ignore driver input.”
- • Their experiments involved two unidentified ʼ09 automobiles of the same make and model, selected because they contained a large number of electronically controlled components and a sophisticated telematics system.
The study was focused primarily on what an attacker could do to a vehicle if able to “maliciously communicate on the car’s internal networks,” and suggested two ways to gain access to those networks.
Physical access, if available, would enable an attacker to insert a malicious component into the networks via the ubiquitous, federally mandated onboard diagnostic (OBD-II) system port, typically located under the dash.
An alternative entrance could be made via the numerous wireless interfaces in the modern automobile. In their test cars, for example, the authors identified five kinds of digital radio interfaces that accept outside inputs.
Testing was conducted in three different ways: on components in isolation, removed to laboratory benches; on the two automobiles while stationary, both on and off jacks; and at speed on a closed course, the lengthy runway of a decommissioned airport.
Testers found they could:
- Prevent a car engine from being turned on or, if on, off.
- Boost engine RPM temporarily, disturb engine timing, disable all cylinders simultaneously and disable the engine in such a way that it could not be started or would knock excessively when restarted.
- Disable communications to and from all electronic control units, even while the car’s wheels were moving at speed.
- Forcibly and completely disengage the brakes while a car was moving, making it difficult for the driver to stop or, conversely, forcibly activate the brakes, causing a sudden stop.
- Engage the front left brake and lock it, making it resistant to manual override.
- Fully control the instrument panel cluster so as to display arbitrary messages, falsify the fuel level and manipulate the speedometer to show an arbitrary speed, tricking the driver into going too fast.
- Disable all lighting, including headlights and brake lights, when the car was traveling at speeds of 40 mph (64 km/h) or more.
- Create a “self destruct” demo involving a 60-second countdown, displayed on the dash and accompanied by horn honks, which culminated by killing the engine and activating the door lock relay, preventing the occupant from using the electronic door unlock button.
- Implant malicious code into a car’s telematics unit.
The study reports that, starting in the mid-1990s, auto makers began marrying more powerful ECUs with peripherals such as global-positioning systems that provide external network access.
They cite as an example OnStar, which enables authorized personnel to track a car’s location, remotely stop the car, automatically place emergency calls in case of an accident, and relay its location. Similar telematics packages includeMotor Co.’s Sync, Group LLC’s Uconnect, AG’s Connected Drive and Lexus’ Enform.
Potentially, all could be invaded and abused by a knowledgeable computer attacker.
iSuppli’s Magney agrees the threat to security is increasing as auto makers open up outside access to vehicle networks so consumers can download new features or couple car systems with portable devices.
“There is security built in, but never has there been external data packets and commands actually coming into the vehicle,” he says. “This is the first time it has happened.”
Preuss also acknowledges the risk from such things as cellular- and Bluetooth-embedded systems, but says OnStar has multiple firewalls in its system and can shut down all inbound phone penetration of a vehicle in the event a viral attack happens.
“I don't want to give away specific deterrents to infiltration,” he says. “We have a group that studies these threats and have a lot of resources (to combat hacking).”
OnStar also works with key suppliers, including LG Electronics Inc., which provides the main hardware box to OnStar.
As early as 2005, some individuals demonstrated they could get into the OnStar GPS system.
“We devised a fix for that,” Preuss says, promising the ninth-generation system that debuts this year will have enhanced security.
The two teams of computer scientists had little difficulty manipulating the operating systems of the test cars by connecting a laptop computer through the OBD II port to the controller area network bus required in all vehicles sold in the U.S. since 2008.
Since modern vehicles have become so complex, a major use of the CAN bus is to provide diagnostic access to service technicians, members of the tuner subculture and other automobile enthusiasts.
Yet, the study points out the CAN bus has a number of generic weaknesses that can be exploited, explaining “a malicious component on the network can easily snoop on all communications or send packets to any other node on the network.”
Preuss says hacking the CAN bus certainly is possible and calls on key players to work together to minimize that risk.
“The industry needs to take action on this, probably on the SAE level,” he says.
Ironically, although much of the new computer software has been introduced by auto makers specifically to increase safety (such as antilock-brake systems), the study’s authors believe it is likely the increasing degree of computerized control will include a corresponding array of potential threats.
“While automotive components are clearly and explicitly designed to safely tolerate failures – responding appropriately when components are prevented from communicating – it seems clear that tolerating attacks has not been part of the same design criteria,” the study concludes.”The attack surface for modern automobiles is growing swiftly as more sophisticated services and communications features are incorporated into vehicles.”
The researchers emphasize it is possible to design computer code that “completely erases any evidence of itself after executing an attack” and note the absence of a forensic trail might make it infeasible to determine if a particular crash is caused by an attack, minimizing the possibility of any law-enforcement action.
The study analyses the security implications if an attacker is able to compromise a car’s internal communications network, not on how an attacker might be able to do so, and concludes that “it is not yet clear what the right solution for security is or even if a single right solution exists.”
But as vulnerable as networks are becoming, iSuppli researchers say vehicles never will be as open as a PC. And expect government involvement with the issue soon, they add.
“They will get involved and paint (hacking) as a driver-distraction issue,” predicts Mark Boyadjis, analyst and regional manager-Automotive, North America at iSuppli.
– with James M. Amend and Herb Shuldiner