Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

As more cars come with wireless connectivity and in-car apps, more of them will be vulnerable to potentially dangerous hacking, two well-known researchers warned at the Black Hat security conference in Las Vegas on Wednesday.

In a study of nearly 20 different vehicles, Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of vehicle security research with security services firm ioActive, concluded that most control systems were not designed with security in mind and could be compromised remotely. The pair created cybersecurity ratings for the vehicles, which will be published in a paper later this week.

“When you are looking to buy a car, you can pick up a magazine and it will tell you, ‘Here are the safety features of this car,’” Valasek said. “Why can’t we, as the security industry, start making reports that say, ‘These cars have good cybersecurity and these cars don’t have good cybersecurity’?”

As the automotive industry has added more digital control systems and embedded computers, vehicles have become easier to hack. In 2011, researchers from the University of Washington and the University of California San Diego analyzed  a midpriced sedan, discovering that it could be compromised via either a disk inserted in its CD player, the diagnostic equipment used by mechanics, or a cellular connection.

Since then, other research groups have studied car security and demonstrated ways to take control of brakes, acceleration, and other functions. High-end vehicles often have computerized control of the brakes and acceleration, for collision prevention and intelligence cruise control, and automated steering to allow self-parking and the ability to remain centered in a lane.

Attacks on automotive control systems involve three steps, according to Valasek and Miller. An attacker must first find a way to exploit a vehicle system, then use that vulnerability to send a command to the electronic control unit (ECU), and finally get the ECU to execute the command.

Because of the proliferation of wireless access in vehicles, especially Bluetooth and cellular connectivity, remote execution is increasingly possible. The feasibility of sending commands to the electronic control units that manage different vehicle functions depends on the design of the car.

Car companies need to design their systems to detect exploitation attempts and prevent security from being compromised, Miller said: “You want to make each of these three steps harder for the attacker.”

But with car manufacturers competing on features, the addition of in-car applications from navigation to streaming music could leave more vehicles vulnerable, Miller added. “In-car apps and desktop-like features pose huge upcoming threats,” he said.

Designing security into vehicles is especially important because applying software patches is problematic. Updating the software in a car means bringing the vehicle to a dealer for service, a step that most owners will not take.

“When you get [recall] notices in mail, you ignore them,” Valasek said. “It is going to be really hard, if a real live exploit comes out, to patch the problem.”

2 comments. Share your thoughts »

Tagged: Computing, Black Hat, Black Hat security conference, cybersecurity

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me