If malware seems like a nuisance on your PC, just wait until it hits the 3,000-pound piece of metal you ride around in every day.
Fortunately, your car might soon learn to spot malevolent code before it can run amok. At an automotive conference last week, Symantec announced a product designed to catch malware by learning what patterns of data traffic should look like inside a car and raising flags if it spots something unusual. This could enable the system to spot previously unseen, or “zero day,” automotive exploits, says Brian Witten, senior director of IoT Security at Symantec.
“We learn what’s normal for how [the computers in a car] talk to each other, and we capture that,” Witten says. “If some of the modules are forced to interact with each other in a different way, the car knows it’s gone into a potentially dangerous state, and then it can try to do some remediation, or send the information back to automaker headquarters.”
Car hacking is still theoretical. But cars have proven very vulnerable to hacking by security researchers (see “Taking Control of Cars from Afar”). As vehicles become more computerized and connected, it seems inevitable that miscreants will eventually target them (see “Rebooting the Automobile”).
This March, in fact, the FBI and the National Highway Transportation Safety Authority issued a public service announcement warning that many modern cars are vulnerable to hacking. This followed headline-grabbing demonstrations performed at major security conferences. Academic experts have also warned that greater automation, built on top of many new computer systems and sensors, will introduce further security risks (see “Your Future Self-Driving Car Will Be Way More Hackable”).
Carmakers and security companies are rapidly stepping up efforts to protect cars against hackers. But the big question the industry faces is how best to protect vehicles against hackers, without following the model that has left personal computers and corporate IT systems so vulnerable. That model has hardly proven very robust, with high-profile hacking incidents alarmingly common.
“Are those the types of outcomes we want in this new domain, where nearly 100 percent of the cars we have on the road have some kind of cybersecurity event in the span of a year?” asks Beau Woods, a computer security expert who is part of I Am the Cavalry, a nonprofit dedicated to raising awareness about automotive security issues. “I think by and large the answer from policy makers, the general public, from insurers, from health-care providers, from carmakers is going to be no.”
Other security companies, as well as many carmakers themselves, are developing various security countermeasures. These include new designs for automotive computer systems and networks that encrypt code as well as additional protections like firewalls and intrusion detection systems designed to block or catch suspicious traffic, and antivirus-like software that would spot the signature of a malicious piece of code.
There is, however, plenty of evidence that carmakers could step up their game when it comes to implementing security from scratch. At a recent industry conference, Corey Thuen, a researcher at IOActive who specializes in automotive issues, presented a survey of automotive exploits demonstrated by various researchers. It showed that automotive security is now woeful. Thuen found that 45 percent of vulnerabilities would be avoided if engineers had used basic best practices, such as avoiding default passwords, not installing simple backdoors, and using secure coding methods. “Securing it in the design phase is definitely where most of the effort should be put now,” Thuen says.
Carmakers are addressing these problems and also designing future systems to be more secure, says Craig Smith, cofounder of Open Garages and author of The Car Hacker’s Handbook. Smith adds that the growing sophistication of vehicles actually presents a good opportunity to build in security. “This is what most automotive companies are working toward,” he says. “As new vehicles come to market, there is a greater emphasis on protecting the vehicle from malicious attacks.”
And for those who might wonder why anyone would want to hack a car, Thuen of IOActive makes an alarming point. “It’s not as interesting as hacking a bank, from a monetary perspective,” he says. “But if you’re talking about remote untraceable assassination, in some kind of worst case, that’s certainly a possibility.”