Be Safe: Unpair Your Phone, Experts Say

Cyber security became a top priority for the auto industry last summer when two researchers wirelessly hacked into a Jeep Cherokee and took control of steering, the transmission and brakes. The stunt was for demonstration purposes.

February 4, 2016

5 Min Read
Be Safe: Unpair Your Phone, Experts Say
The FBI's G. Thomas Winterhalter Jr., attorney James Giszczak, Anuja Sonalker from TowerSec and Elaina Farnsworth from Mobile Comply speak on cyber security panel. Tom Murphy

DETROIT – You’re late to the airport for a flight home and still have to drop off the rental car. You rush to the gas station to fuel up, check over the car for any dings or scuffs, grab your bags and hand off the keys at the rental lot.

There’s another important function to be performed before leaving the car, which could fall into other hands within a day, or sooner: If you used the ubiquitous Bluetooth link to pair your smartphone with the rental car’s audio system, a hacker with ill intentions could access important personal information left behind by your phone.

“A lot of people are not aware of that,” G. Thomas Winterhalter Jr., supervisory special agent in the Detroit Division of the FBI, tells WardsAuto after speaking on an Automotive Press Assn. panel here Wednesday dedicated to automotive cyber security.

“When you sync your phone to that rental car you’re in, when you turn that car in, unsync your phone, unpair it,” Winterhalter says, so there is no digital record of your time in the car when it goes to another customer.

This rule is particularly important for people who travel overseas. “If there’s an adversary that’s attempting to do anything, if they have the right tools and equipment, they can extract your contact information that most people authorize their phone to give to that system.”

Elaina Farnsworth, CEO of Mobile Comply, says it is “highly unlikely” a hacker could access important information that way. But she agrees with the FBI agent and wonders why anyone would want to take that chance.

“There’s always a danger when you leave your information on another device, so you have to assess that risk,” says Farnsworth, whose Pontiac, MI, company trains automakers and suppliers to compete in the evolving world of connected vehicles and intelligent transportation.

“Do you want the person renting the car behind you to really be able to know the information you put within your car?” she asks.

Mobile Comply works with the National Cyber Security Alliance and has been active with the “Stop.Think.Connect.” awareness campaign endorsed by the White House and Department of Homeland Security.

“Those are the kinds of people getting involved to write a curriculum to say, ‘What are the baseline components you need to know about security,’” Farnsworth says.

The conversation about automotive cyber security goes well beyond the U.S. and now is international. “There’s a lot of folks really putting this at the forefront to be able to train consumers, the workforce, executives and the general public on how risky this is,” she says.

Industry Responds to Jeep Hack

Wednesday’s panel discussion draws attention to a problem that intensified last summer when two security researchers wirelessly hacked into a Jeep Cherokee and took control of steering, the transmission and brakes.

The stunt was for demonstration purposes, and no one was injured. But Fiat Chrysler responded by recalling 1.4 million vehicles to correct a software vulnerability, and the automaker is taking steps to beef up network security measures.

The rest of the auto industry also has been quick to respond to the event. “Almost every automaker today has changed their corporate structures to now have a cyber security discipline, a chief cyber security officer, and they’re looking directly at their products,” says Anuja Sonalker, vice president-engineering North America at TowerSec Automotive Cyber Security, based in Ann Arbor, MI.

“They are hiring cyber security engineers. NHTSA is taking a proactive role (and asking), ‘How can we build standards or testing metrics to measure whether we are doing this right or wrong?’ Everyone – the automakers and Tier 1 suppliers – are working together.”

Compromising personal data within a car will create a field day for litigators, and attorney James Giszczak says he expects to see class-action lawsuits like these proceeding further in court and not being quickly dismissed by judges.

He refers to a federal case in the 7th Circuit involving a data breach at Nieman Marcus. “In that one, the plaintiff alleges they will suffer in the future (from) credit-card theft,” Giszczak says.

“It’s the first case where the court has said, ‘That’s enough, we will let that case go forward.’ If that case sticks and goes up through the Supreme Court, and the court allows those claims to stand, it will open the door for class-action litigation across the country in all industries.”

Safeguarding against automotive hackers will require cooperation throughout the auto industry, Sonalker says. She refers to the Information Sharing and Analysis Center, which was created in 2000 as an extension of information technology to help companies and organizations protect themselves.

The auto industry has set up an ISAC, and all members of the Alliance of Automobile Manufacturers are involved.

“It takes a community to solve a problem, and the alliance has really stepped up, trying to get all the right parties together,” Sonalker says. “The president has said we need to build more ISACs in other industries.”

The problem may be complex, but the organization’s goal is reasonably simple: identify threats and share them with all members so they can be analyzed, assessed and hopefully prevented. “Everyone benefits from that one disclosure,” she says.

Sonalker’s company TowerSec develops intrusion detection and prevention systems for automakers and suppliers. She describes the technology as similar to a fishnet.

“Our device sits on the network in the car. Information is passing through the fishnet, and when an attack comes through, we detect it in real time. We have a prevention system, which will identify the attack, the source of it, and squash it in real time, so the driver will not even know. It’s all taken care of in real time, at instant message level.”

TowerSec’s technology has been used in trial vehicles for about a month, but Sonalker says it likely will not appear in production vehicles until about 2018.

[email protected]

Subscribe to a WardsAuto newsletter today!
Get the latest automotive news delivered daily or weekly. With 6 newsletters to choose from, each curated by our Editors, you can decide what matters to you most.

You May Also Like