16-02-2015 | | By Paul Whytock
Any of you who have recently bought a new car will have quickly realised just how much of it is controlled by computers. You may be the owner that sits behind the wheel but much of what is going on is under electronic control, not yours. And this raises the question of just how hackable is your car? The disturbing answer is very.
Microprocessors and software control a plethora of vehicle safety systems from tyre pressure management to collision avoidance systems, blind spot detection, motorway lane departure warnings, driver fatigue alarms and traction control and stability systems; and that's just mentioning a few. There are the electronic engine, chassis and brake control systems that play a key role in vehicle operation as well. Cars these days can have upward of a 100 microprocessors embedded in them which means there is plenty of infiltration opportunities for malicious hackers.
Hacking is a CAN do scenario
Research engineers have already demonstrated that it's possible to hack a car with malware embedded in an MP3 and with code transmitted over a Wi-Fi connection. This sort of software break-in is made possible because of the way vehicle systems communicate through the in-vehicle Control Area Network (CAN) bus network. Unfortunately, the security of the underlying CAN protocol is susceptible to breaching. It does not have inherent security mechanisms and currently the only data security methods for CAN networks on cars are the use of proprietary CAN message IDs and a physical boundary between the CAN bus and the outside world. The problem here is that anyone with physical access to the vehicle's data bus could generate bogus CAN data destined for critical vehicle operations such as the braking system. To try and prevent this car makers do not publish the CAN IDs for various systems on the car network. However, proprietary message IDs can be identified through a reverse engineering process and there are plenty of websites offering advice when you search the Internet for CAN hacks.
What about the real world?
But what about real-world examples of hacking car computers? There are an increasing number. Here's just a few.
A 100 car owners in the USA found their cars had been disabled when a former employee of a car dealership breached a web-based vehicle immobilisation system.
Far worse than the prankster element is the malicious hacking of car safety systems. Researchers from the University of South Carolina and Rutgers University were able to hack into tyre pressure monitoring systems and Researchers at the University of Washington and San Diego created software that could hack into onboard computers to disable brakes and engines. The researchers connected to onboard computers through ports for the cars’ diagnostic system.
Fortunately there are now companies developing car security systems that will protect drivers from car hacking software. One of these is Mission Secure Incorporated (MSI) in the US. It has announced the beta release of its Secure Sentinel product platform.
Over the last year MSI developed the Secure Sentinel platform, based on research by the University of Virginia and the US Department of Defence. The system monitors, detects, informs and corrects against persistent cyber attacks. It can be deployed at low cost and the technology proved effective in overcoming auto-hacking in pilot studies involving ground vehicles.
The sobering fact is that nearly 100% of vehicles on the market are unable to monitor, detect and report on hacking incident. Interestingly Secure Sentinel not only detects a cyber attack and informs the driver it can also take corrective action in real-time automatically or guide the driver regarding appropriate corrective action.
But nevertheless, I don't think that hacking cars is going to mushroom into a major criminal activity; it just doesn't have the financial incentives that banking scams have. However, with the predicted proliferation of automated driverless vehicles I can see prankster getting some mischievous kicks by hacking into those vehicles' navigation systems and making many of us late for those all-important meetings.