‘Go on, hack my car — if you can’
Car makers employ ethical hackers to test the vulnerability of ever more connected cars
We’re heading into a future where artificial intelligence will convey us from point A to B, and it’s estimated that self-driving cars will account for up to a quarter of vehicle sales in less than 20 years’ time.
From a road safety point of view it’s something to look forward to. Unlike humans, autonomous cars will adhere to road rules and won’t succumb to road rage, which should significantly reduce the 1.3-million road deaths taking place around the world annually.
However, this artificial intelligence could still be hacked by humans, turning the convenience of an autonomous car into a nightmarish proposition if control of it is taken over by someone with nefarious intentions. It’s a threat even today as cars get ever more computerised and connected, with infotainment and navigation systems, Wi-Fi, automatic software updates and other innovations that aim to make driving more convenient.
Last weekend’s Defcon security convention in Las Vegas, US, gave hackers the chance to try to break into the control units of cars and take over their driving functions.
The annual convention is sponsored by car makers and seeks to discover the cyber vulnerabilities of their vehicles. Manufacturers and automotive suppliers collaborate with so-called “white hat” or ethical hackers — cyber experts who help organisations identify IT security weaknesses.
Hackers had to escape a vehicle by deciphering the code to open its boot, control its radio volume and speed, and lock the doors through their computers.
“A big part of it is redefining the term ‘hacker’ away from that of a criminal to make car makers understand that we're here to make their systems more secure,” Sam Houston, senior community manager at Bugcrowd, which recruits researchers for so-called bug bounty programs at Tesla, Fiat Chrysler, and other manufacturers, told Reuters.
“Automotive provides a great challenge because the systems are distinct from other security areas,” said Craig Smith, a security researcher who, together with Robert Leale, founded the car hacking village in 2015.
Assaf Harel, chief scientist of Karamba Security, an Israeli company that provides automotive security technology, told Reuters the hacking community has opened the auto industry’s eyes.
“Car makers have been discovering new issues with their traditional architectures thanks to white hat hackers, which highlighted security needs for car makers and suppliers alike,” said Harel.
The need to manage vehicle cyber security has come into the public spotlight in several instances in recent years. At the 2013 Defcon, two security researchers hacked into car computers and took over the steering, acceleration, brakes and other functions of a 2010 Ford Escape and a 2010 Toyota Prius.
By connecting a laptop to the cars’ ECUs they were able to disable the brakes while the car was in motion, jerk the steering wheel, accelerate, switch off the engine, yank the seat belt, display incorrect speedometer and fuel gauge readings, and turn the car’s lights on and off.
Two years later a team of IOActive researchers wirelessly compromised a Jeep Cherokee, and ran it off the road, by hacking its infotainment system. They remotely changed the aircon settings, switched radio stations, turned on the windscreen wipers and water jets, and ran the vehicle off the road.
Using software that let the hackers control the steering, brakes, engine and transmission from a laptop, it was estimated that as many as 471,000 vehicles could have been vulnerable to such attacks.
In 2016, Computest researchers exposed vulnerabilities in the infotainment systems of some Volkswagen and Audi models, and remotely seized control of infotainment dashboard microphones, navigation systems and speakers.
Hackers have also gained access to some vehicles’ internal systems via their GPS tracking systems, where they were able to turn off cars’ engines as they drove.
Modern vehicles are computers on wheels with software controlling everything from the infotainment system to safety systems like steering, acceleration and brakes.
Flimsy cyber security will become even more of an issue in the future as fleets of self-driving cars use the Internet of Things to avoid crashing into one another.
A recent report by the Ponemon Institute titled Securing the Connected Car: A Study of Automotive Industry Cybersecurity Practices, found that software security is not keeping pace with technology in the motor industry, and that just 10% of companies have a cybersecurity team.
“Cybersecurity should not be treated as an afterthought or an aftermarket issue. It has to be understood that this has to be built in. It's not an add-on,” Ami Dotan, CEO of Karamba Security, told Automotive News.
According to carhackingvillage.com, vehicle technologies haven’t kept pace with today’s more hostile security environment, leaving millions vulnerable to attack.
“Car Hacking Village plays an important role for researchers interested in the safety and security of the more than one billion vehicles on the road worldwide", according to the website.
MOTORING PODCAST | Cargumentative - One man's trash is another man's ideal restoration