Computerized conveniences make cars next target for hackers

No confirmed serious attacks on cars, but automakers are skittish about publicizing efforts to deal with increasing risk

All those computerized conveniences in your new car -- dozens of them -- also make it a tempting, rolling menu of attack possibilities for hackers, who can exploit vulnerabilities to steal your car, eavesdrop on what you think are private conversations and even sabotage systems that could make it crash.

And it is only recently that auto manufacturers are starting to pay closer attention to them, writes Jim Finkle for Reuters. "Intel's McAfee unit, best known for software that fights PC viruses, is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car," he wrote.

The menu of possibilities for hackers is extensive: Computer diagnostics to tell you if anything is wrong, systems to tell you how much pressure is in your tires, how many miles you have left in your fuel tank, whether your door or trunk is ajar, whether somebody is behind you when you put it in reverse, to manage your anti-lock brakes and your anti-theft device; an OnStar satellite system that can start your car remotely, that will notify the company if you're in an accident, including whether one or more of your airbags went off, that will let On-Star remotely shut down your car if it is stolen. In most vehicles, a computer even controls the throttle. And that is only a partial list.

There is no confirmed report yet of a serios cybe attack on an automobile. But the marketing teams for automakers are skittish about publicizing either the risks or their efforts to deal with them. Ford was one of few companies even to confirm its efforts to build security into its Sync in-vehicle communication and entertainment system.

[See also: 'War texting' lets hackers unlock car doors via SMS]

"Ford is taking the threat very seriously and investing in security solutions that are built into the product from the outset," spokesman Alan Hall told IT News.

All of the "Big Three" U.S. manufacturers -- Ford, Chrysler and General Motors -- wouldn't say if they knew if any of their vehicles had been attacked with malicious software. or even if they had recalled cars to fix security vulnerabilities. Hyundai, Nissan and Volkswagen would not comment, and Honda said only that it was studying the security of on-vehicle computer systems.

Finkle wrote that Toyota spokesman John Hanson told him that Toyota systems are "basically designed to change coding constantly."

"I won't say it's impossible to hack, but it's pretty close," the Toyota spokesman is quoted as saying.

Most independent experts, however, say auto manufacturers are late to the party when it comes to investing in security.

Dave Marcus, research director at McAfee, said hiring professional penetration testers is "a great start" for improving the security of automotive computer systems. But he said security needs to be "baked in" to those systems during the development and conceptual stages.

And while Toyota's systems may be good, "All systems are vulnerable to attack," he said.

Kevin McAleavey, cofounder of the KNOS Project and a malware expert, says the security of most cars is laughably porous. He said he owns a grey Honda, and when he is in a large parking lot with other, similar cars, he often punches the key fob button so he will know which car is his.

"More often than not, more than one car honks and flashes. I've even seen four or five nearby light up," he said." What this means is that all of the cars have the same access code number and all of them respond. So right there, it's possible for someone else who happens to have the right number to open your car and probably start it up and drive off."

McAleavey said a more dangerous problem is the communication with satellite services that he said use frequencies of 800 MHz and 2.3 GHz, "which are both within the range of widely available communications equipment, and if you can get close enough to a car equipped with OnStar then you can easily overpower the legitimate signals and replace them with your own."

"I'll guess that once you've read the Vehicle Identification number (VIN) off the dashboard in a parking lot, it would be pretty simple to calculate all of that," he said. "Fabulous James Bond 'Q'-type stuff right there. Kill the engine, apply the brakes, cripple the vehicle." 

Several calls to a number for OnStar public relations went unanswered.

McAleavey said the computer controls in cars have progressed from wiring to fiber optics to wireless, all of which makes the operation more efficient, but increases risks.

"Bluetooth in the wheels to detect a blown tire and apply the antilock braking with power steering and stabilizers to bring you safely to a stop after a blowout. Genius!" he said. "But what if the car next to you had the same frequency and the same codes just like our Honda? And what if that blowout didn't really happen? What if your car's computer thinks it did because somebody else with a Bluetooth transmitter said so?"

"What are the possible repercussions of a computer overcorrecting the steering and braking for a blowout that didn't really happen? This is the kind of stuff that is now rearing its little head," McAleavey said.

Or, as McAfee executive Bruce Snell, who oversees the company's car security research, told Shane McGlaun of Daily Tech, "If your laptop crashes you'll have a bad day, but if your car crashes that could be life threatening. I don't think people need to panic now. But the future is really scary."

Dave Marcus says it doesn't have to be. "As long as people get educated to the risk, make changes to behavior and take precautions it (the future) will be less scary," he said.

But Kevin McAleavey said it will also take some serious investment by the auto companies. "The solution is the same as it is for any other network," he said. "Highly limited paths, robust encryption, and multiple redundancy in the case of those Bluetooth devices, as well as any other sensors. Isolate each feature to its own virtual channel, so you can't cross-pollinate.

"But all that is going to cost," he said.

Copyright © 2012 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.