Auto Hacking

TECHNOLOGY

The Internet of Things is vulnerable. In theory, even your car could get hacked.

In our society, Internet-enabled computers are literally everywhere. From a security perspective (and also generally), traditional computers like desktops and laptops have a mature software ecosystem; antivirus suites are not just widely available, a majority of computers have one that is up to date. Anti-malware apps are even available for the major mobile phone platforms; if you don’t already have an antivirus for your mobile phone or tablet, get one.

What about other kinds of devices, i.e., the ones we tend not to think about? The Internet of Things (IoT), is a very broad category of Internet-enabled devices that tend to operate autonomously, ranging from home security systems, smart hydro meters and smart thermostats, to parking meters, cars and beyond. Yes, your car could, theoretically, be hacked.

Attack Surfaces

The concern of many researchers is that access to an IoT device may be compromised because of easy entry via “attack surfaces”, which is basically any method that could be used to communicate with the embedded computer. A complex device (e.g., a car) has many interfaces via electronic conveniences such as Bluetooth, Wi-Fi, cellular network, keyless entry systems and even tire pressure monitoring systems. It may then be possible to gain access through the backdoor, so to speak, into the vehicle’s computers.

Indeed, at a Black Hat security conference in Las Vegas in 2014, two professional hackers, Charlie Miller and Chris Valasek, presented a 92-page paper that documented their review of 24 makes and models of vehicles and ranked their theoretical hackability. In addition to attack surfaces, the researchers examined the vehicles’ internal network architecture (i.e., which components are able to directly communicate with each other) and ‘cyberphysical’ features (e.g., assisted parking and automated braking) a nefarious hacker could manipulate to create a potentially dangerous situation. Although none of the vehicles was actually hacked, the researchers demonstrated that not all cars are designed with network security in mind. It was discovered that the most vulnerable models were susceptible because they had wireless “attack surfaces” that were not insulated from the car’s network.

Not only cars are susceptible: a 2014 study found that Internet of Things devices have on average 25 vulnerabilities each!

As a result of ongoing research and some news headlines, manufacturers are becoming aware of the potential for hackers to gain unauthorized access to these devices. News items question whether businesses should be concerned about cyber attacks on their vehicles or equipment. Pragmatically, the answer would be “no” simply because there is little financial incentive for anyone to hack into most of the vehicles or equipment business owners use; known exploits tend to be rather labourious and limited to one device at a time rather than many devices en masse. However, financial incentive is not always the motivation. Recent news snippets have demonstrated revenge and challenge can be motivators.

In Texas, a disgruntled ex-employee of a web-based immobilization system disabled some vehicles and left others with their horns honking continuously. In other controlled research situations, tire pressure monitoring systems were hacked and turned on warning lights and windshield wipers, while braking systems were disabled and engines stopped.

Can Your Vehicles Be Hacked?

For the time being most researchers agree it is unlikely that businesses and consumers need to be concerned about vehicles being hacked and running amok. At the same time, however, they are urging vehicle owners to take a few precautions to safeguard against electronic mischief. A few suggestions include:

• Ensure that passwords to an auto security and information service such as OnStar are not left in the vehicle.
• Minimize the possibility of manipulation of your vehicle’s computer system by using only a reputable shop for your vehicle’s repairs.
• Don’t be talked into installing aftermarket devices that may be able to track your movement or allow backdoor access to the vehicle’s driving functions thereby leaving you vulnerable to an outside party.
• Always lock your vehicle to prevent tampering.

Recommendations

Whether your business is already using Internet of Things devices, or is considering IoT, experts recommend:

• Separate the IoT devices from the other devices on your network by using a firewall.
• Consider security features when evaluating potential IoT products.
• Configure security features like strong password requirements and two-factor authentication.
• Regularly update the firmware/software on all devices, if available.

The Future

The explosion of growth of the Internet of Things and the evolution of connectivity between humans and devices mean that devices will become more prevalent and potentially vulnerable to cyber attack. It may take some time for the IoT industry to catch up with the security standards and processes that have developed since personal computers “hooked-up” to the Internet. Unlike laptops or mobile phones, there is currently no antivirus available for your car or thermostat. Most security recommendations for IoT devices are similar to the best practices we already follow today for computers and physical infrastructure.