Your laptop is gone along with that bottle of Cabernet you just bought at the wine shop. You know you locked your car before you ran into the market to pick up those last few things for dinner. It’s not locked now and your stuff is gone. You got hacked.
It may be ironic that as our cars become safer they become more vulnerable. Recently, major automakers agreed to install auto braking systems in all cars sold in the U.S. by 2022. Add this feature to others such as collision avoidance and lane change assist and we have greater safety- but with a price paid in increasingly complex computer code that makes today’s cars some of the most sophisticated machines on the planet. “Cars these days are reaching biological levels of complexity” says Chris Gerdes, a professor of mechanical engineering at Stanford University.
Even the most basic cars can have upwards of fifty electronic control units [ECUs] that communicate over a car’s CANs or Controller Area Networks. The result: Today’s cars are controlled by computer programs with over 100 million lines of code. An F-22 fighter has two million lines. The seventeen mile long Large Hadron Collider which is unlocking secrets of the universe five hundred feet below the border of France and Switzerland has “only” 80 million. With this complexity, who could have discovered VW’s programming that allowed over eleven million vehicles to avoid U.S. pollution control laws?
Back to your unlocked car. Jerry Hirsch of the L.A. Times writes that last January, BMW was forced to act when it was discovered that a basic lack of encryption technology left over two-million of its vehicles vulnerable to hacking of door locks. The picture gets more ominous. In a demonstration staged for Wired magazine, two hackers sitting on a couch ten miles away, gained control of a Jeep Cherokee as it drove down a St. Louis highway at 70 miles-per-hour. Rap music began blasting out of the stereo. The air-conditioner went into spasms. The wipers moved as the car sprayed washer fluid onto the windshield. Finally, the engine turned off. The demonstration rang alarm bells at the NHTSA which negotiated with Chrysler-Fiat to recall 1.4 million vehicles to fix the vulnerability in the UConnect system that was exploited by the hackers. Tech gurus have also hacked into a Tesla S and used a dongle plugged into the OBD2 port of a 2014 Corvette to control the car’s brakes and wipers. In Europe, researchers started vehicles by hacking into Megamos Crypto transponders, devices that authenticate a car’s key fob before allowing the vehicle to start.
Time to get paranoid? Not so fast says Andrew Brandt, director of Threat Resource. He notes that the Tesla attack required access to hardware that could be reached only by taking apart the car’s dashboard. To control the Jeep it was necessary to update the car’s operating system and flash it into the car’s computer- a process that took considerable effort. A spokesman from Audi which uses the Megamos Crypto unit downplayed the threat of hacked transponders. The units use 96 bit encryption when communicating with the car’s fob making a random guess of the correct code needed to start the vehicle virtually impossible. The spokesman noted “manipulators must record at least two consecutive engine-starting operations with the original key, so it isn’t easily accomplished in the real world and uncommon.” Still, the researchers who did record the code twice were able to reduce the number of guesses necessary to find the actual key code from billions to 196,607. Thirty minutes later, using a brute force technique, they had the information needed to make a duplicate key. As for dongles, Brandt says they’re easy to spot- if you see something plugged in under your dash that you didn’t put there, remove it immediately.
Right now it’s unclear where the security of your car will ultimately rest. Facing potential legal liability, car makers have tremendous incentive to prevent hacking. Maryanna Saenko, a senior analyst at Lux Research, observes car makers are awaking to the reality that, as they develop increasingly connected cars, they are pushing security risks onto the market. Stefan Savage, a computer security professor at the University of California goes even further, describing automakers as “in a state of panic.” Tesla co-sponsored a car hacking village at a recent DEF CON conference and has offered a $10,000 bounty to any hacker who can uncover flaws in its code. According to Robert Strassburger, vice president for vehicle safety at the Alliance of Automobile Manufacturers, companies are creating a central clearing house that will work to identify and share potential threats and vulnerabilities. Such a center might work better if the calls of some security experts for open source software are heeded. Currently, car computer codes are proprietary and closely guarded. Companies argue that opening their code would allow less innovative competitors a free ride on their efforts.
Even with the threat of lurking legal action, not all car companies have moved vigorously when faced with security breaches, a reluctance to act that has caught the attention of federal regulators. A bi-partisan bill named the Security and Privacy in Your Car Act was introduced in the U.S. Senate this past July. The bill calls for the establishment of federal standards to protect the privacy of drivers and the security of their cars. The bill also calls for incentives to manufacturers to develop better technologies and streamline the process for recalls. There is also action in the House; a sub-committee is crafting legislation that would require manufacturers to state their privacy policies and impose civil penalties of up to $100,000 on anyone found guilty of hacking a vehicle. The house committee also calls for the creation of an Automotive Cybersecurity Advisory Council to develop best-practices for manufacturers of cars sold in the U.S. Car companies strongly oppose any government interference and are yelling “hands off”. Some with ties to the industry have called the proposed legislation uninformed, poorly crafted and a hindrance to research and innovation. Advocates for legislation counter that current laws against hacking are woefully out of date and could actually criminalize legitimate research into computer vulnerabilities. They argue the current discussion of car hacking provides an excellent opportunity to update federal law.
Regardless of who tackles the problem, it’s one that will only become more pressing. With the development of autonomous vehicles, car computer systems can only become more sophisticated and, lacking tight security oversight, an increasingly attractive target for hackers.