Auto Hacking

TECHNOLOGY

The Internet of Things is vulnerable. In theory, even
your car could get hacked.

In our society, Internet-enabled computers are literally
everywhere. From a security perspective (and also generally),
traditional computers like desktops and laptops
have a mature software ecosystem; antivirus suites are
not just widely available, a majority of computers have
one that is up to date. Anti-malware apps are even
available for the major mobile phone platforms; if you
don’t already have an antivirus for your mobile phone
or tablet, get one.

What about other kinds of devices, i.e., the ones we
tend not to think about? The Internet of Things (IoT),
is a very broad category of Internet-enabled devices
that tend to operate autonomously, ranging from home
security systems, smart hydro meters and smart thermostats,
to parking meters, cars and beyond. Yes, your
car could, theoretically, be hacked.

Attack Surfaces

The concern of many researchers is that access to an
IoT device may be compromised because of easy entry
via “attack surfaces”, which is basically any method
that could be used to communicate with the embedded
computer. A complex device (e.g., a car) has many
interfaces via electronic conveniences such as Bluetooth,
Wi-Fi, cellular network, keyless entry systems
and even tire pressure monitoring systems. It may then
be possible to gain access through the backdoor, so to
speak, into the vehicle’s computers.

Indeed, at a Black Hat security conference in Las
Vegas in 2014, two professional hackers, Charlie Miller
and Chris Valasek, presented a 92-page paper that
documented their review of 24 makes and models of
vehicles and ranked their theoretical hackability. In
addition to attack surfaces, the researchers examined
the vehicles’ internal network architecture (i.e., which
components are able to directly communicate with
each other) and ‘cyberphysical’ features (e.g., assisted
parking and automated braking) a nefarious hacker
could manipulate to create a potentially dangerous
situation. Although none of the vehicles was actually
hacked, the researchers demonstrated that not all
cars are designed with network security in mind. It
was discovered that the most vulnerable models were
susceptible because they had wireless “attack surfaces”
that were not insulated from the car’s network.

Not only cars are susceptible: a 2014 study found that
Internet of Things devices have on average 25 vulnerabilities
each!

As a result of ongoing research and some news
headlines, manufacturers are becoming aware of the
potential for hackers to gain unauthorized access to
these devices. News items question whether businesses
should be concerned about cyber attacks on their
vehicles or equipment. Pragmatically, the answer would
be “no” simply because there is little financial incentive
for anyone to hack into most of the vehicles or equipment
business owners use; known exploits tend to be
rather labourious and limited to one device at a time
rather than many devices en masse. However, financial
incentive is not always the motivation. Recent news
snippets have demonstrated revenge and challenge can
be motivators.

In Texas, a disgruntled ex-employee of a web-based
immobilization system disabled some vehicles and left
others with their horns honking continuously. In other
controlled research situations, tire pressure monitoring
systems were hacked and turned on warning lights and
windshield wipers, while braking systems were disabled
and engines stopped.

Can Your Vehicles Be Hacked?

For the time being most researchers agree it is unlikely
that businesses and consumers need to be concerned
about vehicles being hacked and running amok. At the
same time, however, they are urging vehicle owners to
take a few precautions to safeguard against electronic
mischief. A few suggestions include:

• Ensure that passwords to an auto security and
  information service such as OnStar are not left in
  the vehicle.
• Minimize the possibility of manipulation of your
  vehicle’s computer system by using only a reputable
  shop for your vehicle’s repairs.
• Don’t be talked into installing aftermarket devices
  that may be able to track your movement or allow
  backdoor access to the vehicle’s driving functions
  thereby leaving you vulnerable to an outside party.
• Always lock your vehicle to prevent tampering.

Recommendations

Whether your business is already using Internet
of Things devices, or is considering IoT, experts
recommend:

• Separate the IoT devices from the other devices on
  your network by using a firewall.
• Consider security features when evaluating potential
  IoT products.
• Configure security features like strong password
  requirements and two-factor authentication.
• Regularly update the firmware/software on all
  devices, if available.

The Future

The explosion of growth of the Internet of Things and
the evolution of connectivity between humans and
devices mean that devices will become more prevalent
and potentially vulnerable to cyber attack. It may take
some time for the IoT industry to catch up with the
security standards and processes that have developed
since personal computers “hooked-up” to the Internet.
Unlike laptops or mobile phones, there is currently no
antivirus available for your car or thermostat. Most
security recommendations for IoT devices are similar
to the best practices we already follow today for computers
and physical infrastructure.