16-02-2015 | | By Paul Whytock
Any of you who have recently bought a new car will quickly realise how much of it is controlled by computers. You may be the owner behind the wheel, but much of what is happening is under electronic control, not yours. And this raises the question, can someone hack your car? The disturbing answer is very.
Microprocessors and software control a plethora of vehicle safety systems, from tyre pressure management to collision avoidance systems, blind-spot detection, motorway lane departure warnings, driver fatigue alarms and traction control and stability systems; and that’s just mentioning a few. There are the electronic engine, chassis and brake control systems that play a crucial role in vehicle operation as well. These days, cars can have upward of 100 microprocessors embedded in them, which means there are plenty of infiltration opportunities for malicious hackers.
The question, can a car be hacked and controlled? has already been answered by research engineers who have demonstrated that it’s possible to hack a car with malware embedded in an MP3 and with code transmitted over a Wi-Fi connection. This sort of software break-in is made possible because of how vehicle systems communicate through the in-vehicle Control Area Network (CAN) bus network. Unfortunately, the security of the underlying CAN protocol is susceptible to breaches, and it does not have inherent security mechanisms. Currently, the only data security methods for CAN networks on cars are proprietary CAN message IDs and a physical boundary between the CAN bus and the outside world. The problem here is that anyone with physical access to the vehicle’s data bus could generate bogus CAN data destined for critical vehicle operations such as the braking system. To try and prevent this, carmakers do not publish the CAN IDs for various systems on the car network. However, proprietary message IDs can be identified through a reverse engineering process, and there are plenty of websites offering advice when you search the Internet for CAN hacks.
But what about real-world examples of hacking car computers? There are an increasing number, and here are just a few.
A 100 car owners in the USA found their cars had been disabled when a former employee of a car dealership breached a web-based vehicle immobilisation system.
Far worse than the prankster element is the malicious hacking of car safety systems. Researchers from the University of South Carolina and Rutgers University were able to hack into tyre pressure monitoring systems, and Researchers at the University of Washington and San Diego created software that could hack into onboard computers to disable brakes and engines. The researchers connected to onboard computers through ports for the cars’ diagnostic system.
Fortunately, companies are now developing car security systems that will protect drivers from car hacking software. One of these is Mission Secure Incorporated (MSI) in the US, and it has announced the beta release of its Secure Sentinel product platform.
Over the last year, MSI developed the Secure Sentinel platform based on research by the University of Virginia and the US Department of Defence. The system monitors, detects, informs and corrects against persistent cyber-attacks. It can be deployed at a low cost, and the technology proved effective in overcoming auto-hacking in pilot studies involving ground vehicles.
The sobering fact is that nearly 100% of vehicles on the market cannot monitor, detect and report hacking incidents. Interestingly Secure Sentinel not only detects a cyber attack and informs the driver, but it can also take corrective action in real-time automatically or guide the driver regarding appropriate corrective action.
But nevertheless, I don’t think that hacking cars will mushroom into a major criminal activity; it just doesn’t have the financial incentives that banking scams have. However, with the predicted proliferation of automated driverless vehicles, I can see pranksters getting some mischievous kicks by hacking into those vehicles’ navigation systems and making many of us late for those all-important meetings.