Your next car might come with a great safety rating or reliability score, but how hackable will it be?
Security researchers recently demonstrated several tricks for hacking into cars in order to take control of components such as the stereo and windshield wipers, and even the engine and brakes. In one example, a pair of experts remotely deactivated the braking system on a Jeep Cherokee as a journalist drove it down the road.
Unsurprisingly, carmakers have begun taking computer security a lot more seriously, but they have been blindsided by the speed of technological change within the industry, and especially by how the addition of connectivity has opened cars up to attack. At the same time, they are rapidly adding new functionality that will require extra security scrutiny.
The electric-car maker Tesla is ahead of the curve, with a car that is both highly computerized and connected and relatively well protected against hackers. Unlike most cars on the road, the latest Model S features an internal computer network that separates different systems, making it harder for hackers to jump from one system to the next. The experts who breached the Jeep, for instance, used the entertainment system as a way to access other vehicle components. Other carmakers are now developing similar systems, says Joshua Corman, an independent security researcher who consults with car companies. “There’s really no reason to have the stereo speak to the brakes,” he says.
Carmakers are also reviewing their approach to dealing with security flaws and bugs, meaning they will invite security researchers to alert them to problems and work with them to get them fixed (rather than threatening to sue them, as has happened in the past). Tesla has offered cash bounties to those who disclose such problems. Several experts in the field say other car companies may soon do the same. Corman says two automakers had planned to reveal a new approach at Defcon, a major computer security conference in Las Vegas, but were deterred by the negative press attracted by the Jeep hack.
More carmakers are also devising ways to patch the software on their cars remotely, to address problems more quickly. So far, only Tesla and BMW are capable of this, but Ford recently said it would introduce the functionality in its vehicles, although it did not specify when.
Many experts say carmakers need to do much more, though. Corman also advocates, among other things, adding a “black box” to the computer network inside vehicles so that hacking attacks could be recorded and traced after the fact. Such a device, or something similar, might also be used to detect and stop an attack in progress.
Academics have been hacking cars for years (see “Taking Control of Cars from Afar”). But the introduction of cellular connectivity has made it easier to compromise a vehicle. Craig Smith, a security researcher who tests security for many carmakers, says he has performed feats similar to the Jeep hack in that capacity. “When it comes to finding an exploit, there are only a couple of new things you need to learn,” he says.
Most automakers are letting smartphones connect to the dashboard via Apple’s CarPlay and Google’s Android Auto (see “Rebooting the Automobile”). Even if a car lacks its own cellular connection, these systems will allow a driver to view apps, maps, and messages on the console and find information online.
Carmakers, as well as Google and Apple, say these systems pose no threat, because both essentially project the phone’s screen onto the car’s display. “They do not manipulate data,” says Brad Stertz, a spokesman for Audi, which is adding CarPlay and Android Auto to vehicles.
But security experts aren’t so sure. Charlie Miller, one of the researchers who hacked the Jeep Cherokee, says he has not examined CarPlay or Android Auto but believes they are “probably a vector,” meaning they might provide a way to access the rest of a car.
Kevin Mahaffey, CTO of Lookout and one of the researchers behind a recent Tesla hack, says this is a possibility that needs to be considered. “As cars and phones communicate a lot more, I think it starts to blend the security issues together,” he says. “I can’t make any announcements about future research, but the intersection of phones and safety-critical systems is happening more and more, so it’s an area we’re paying a lot of attention to.”
It is certainly still pretty challenging to hack a car. The Jeep hack involved reverse-engineering and reprogramming a computer chip in the vehicle’s entertainment system. Still, the requisite skills are starting to spread, as more exploit source code is published and more people become interested in vehicle security.
Corman says around 10 experts were teaching people how to hack car hardware at the Defcon event: “The population of car hackers is growing quickly.”