December 31, 2011 in Nation/World

High-tech cars are increasingly vulnerable to cyber-attacks

Steve Johnson San Jose Mercury News
 

Imagine this nightmarish possibility: Al-Qaida terrorists cause thousands of motorists racing down a freeway during the morning commute to suddenly lose their brakes, leading to massive chaos, death and destruction. Implausible? Maybe not, some experts warn.

As cars and trucks have become laden with brainy devices to control everything from their air bags to their crash-avoidance systems, the vehicles have become increasingly vulnerable to cyber-attacks, according to recent studies by university researchers and security companies.

One found that a car’s computer controls could be remotely accessed through their Bluetooth, Wi-Fi or OnStar connections, potentially allowing terrorists to simultaneously disable the brakes of numerous cars, corporate spies to eavesdrop on a motoring executive’s phone calls, or thieves to electronically locate, break into and start cars they’ve targeted to steal. Another showed how a car’s tire-pressure warning system could be wirelessly tricked into sending false alerts to drivers, which could prompt them to stop and fall prey to robbers following them.

Speculating that villains might short-sell an auto-company’s stock and then cause widespread problems in its cars, Ryan Permeh, a principal security architect at Intel’s McAfee division, added, “I can definitely imagine organized crime or potentially even nation-states leveraging weaknesses in these functions to cause different kinds of havoc.”

Although instances of car hacking have been extremely rare, the threat has gotten the attention of automakers.

“We are very, very concerned,” said Chrysler spokesman Vince Muniga, adding that it is consulting with computer experts to identify “things that may be vulnerable in the future.”

Similarly, Ford “is taking the threat very seriously” and “working to ensure that we’ve developed a product that is as resistant to attack as possible,” said Rich Strader, the company’s director of information technology, security and storage.

The subject also has gotten the federal government’s attention.

“The National Highway Traffic Safety Administration is aware of the potential for ‘hackers’ and is working with automakers to better understand what steps can and are being taken to address the problem,” the agency said in a statement, adding that it has asked the National Academy of Sciences to look into the matter.

Because of consumer demand for entertainment, convenience and safety features in cars, automakers in recent years have greatly beefed up the technology in their vehicles. It’s not unusual for luxury autos to sport 70 computerized control units that monitor everything from the engine, transmission and headlights to the cabin temperature, air bags and cruise control.

Some cars even park themselves, or automatically brake to prevent collisions. But their various wireless connections can enable hackers located some distance away to electronically infiltrate an automobile and take virtual control of it, experts have determined.

In a September report about the “emerging risks in automotive system security,” McAfee described the case last year of a disgruntled former employee of a Texas used-car dealership. By accessing the system the dealership used to remotely deactivate cars whose buyers failed to make payments, he created mayhem by blaring the horns and shutting off the engines of more than 100 vehicles.

Other problems could be coming down the road.

In a study last year, University of South Carolina researchers in one vehicle caused the tire-pressure warning system of another to send bogus alerts to its dashboard. Because such alerts could prompt drivers to pull over to check their tires, the researchers warned, “this presents ample opportunity for mischief and criminal activities.”

Another troubling flaw was uncovered by a security tester hired by an unidentified U.S. city, according to the McAfee report. After hacking into police-car camera recorders, it said, “he was easily able to upload, download and delete files that stored months’ worth of video feeds.”

Still more weaknesses were detailed in a study in August by the Center for Automotive Embedded Systems Security, a collaboration between the University of California-San Diego and the University of Washington. It concluded that thieves could wirelessly command groups of cars to report their GPS coordinates and vehicle identification numbers, enabling the crooks to learn the year, make, model and location of the most expensive ones. Then, it said, they could steal those autos by issuing other wireless commands to disable their alarms, unlock them and start their engines.

Using a related technique, the study warned, corporate spies could listen in on the phone conversations of a motoring executive, or, more disturbingly, terrorists who previously had infected numerous cars with malicious software could later command the vehicles to “simultaneously disengage the brakes when driving at high speed.”

Andre Weimerskirch, CEO of Michigan-based Escrypt, which has been helping car makers deter hackers, credited manufacturers for working hard to bolster vehicle security. But he said some independent dealers selling “after market” auto parts aren’t taking the issue as seriously.

And while much has been learned about the ways crooks can compromise cars, Stefan Savage, a computer scientist who participated in one of the recent studies, said it’s hard to anticipate all of the schemes that might be tried in the future, adding, “I would be quite surprised if there are not additional vulnerabilities.”


There are six comments on this story. Click here to view comments >>

Get stories like this in a free daily email