You're driving down the highway in your car, when all of a sudden the engine cuts out. As you try to steer the car off the road, all the air is letting out of your tires. Your horn starts blaring on its own, and then your airbag deploys. And due to a seemingly series of malfunctions, you are involved in an eight-car pile-up.
But was it actually a series of malfunctions? What if you were told that five cars around you had the same malfunctions? Is this unbelievable? Maybe not.
Recent news reports published by Scientific American, Car and Driver, Discovery Magazine, Technology Review, and other media outlets say it might be possible for hackers to gain access to computer systems that control vital functions, making it dangerous to drive.
"Because they are hidden, people don't often understand that there can be anywhere from 30 to 40 microprocessors in most cars and even up to 100 different ones running different functions in some vehicles," says Stephan A. Tarnutzer, chief operating officer for DGE Inc., an electronic designs and consulting firm for auto manufacturers and suppliers.
What controls the car you drive?
Each year, automakers increasingly turn over the control of vital functions to computers. So, while you are behind the wheel driving your car, functions such as breaking, airbag deployment, starting and shutting off your engine, gas and oil mixture and flow, and regulating how much air is in your tires, among many other functions, are not under your control.
For example, recently a disgruntled former employee of an Austin, Texas, car dealership, took control of a Web-based system allowing him to disable vehicles and make car horns honk continuously. He managed to disable the engines of more than 100 cars, and making the horns on many other vehicles honk uncontrollably.
In other cases, researchers from the University of South Carolina and Rutgers University hacked into tire pressure monitoring systems. All they needed was equipment and free software, all easily available in stores, to trigger warning lights and remotely tracked cars using the vehicle's own monitoring system.
At the Center for Automotive Embedded Systems Security (CAESS), researchers discovered that the internal computer systems in today's vehicles are vulnerable to hackers' attacks. These researchers, with no special knowledge about cars, took control of door locks, disabled breaking systems, and turned engines off while the car was driving, among many other functions.
CAESS a collaboration between the University of California San Diego and the University of Washington to ensure the safety of embedded computer systems installed in automobiles, produced two reports detailing the attacks they were able to do to vehicles, and the dangers to drivers if someone really wanted to create chaos on the highways.
Access to your car's computer network
In their report "Comprehensive Experimental Analyses of Automotive Attack Surfaces," the CAESS discovered "remote exploitation is feasible via a broad range of attack vectors."
Ways into a vehicle's systems include, but not limited to: mechanic tools, CD players, Bluetooth and cellular radios, and wireless communications provide long distance vehicle control, where before the introduction, a car needed to be hard-wired to a computer to access all the microprocessors.
President and co-founder of Superior Tech Solutions, John Luludis, said there are similarities to using computers in cars and the way we use our personal computers. And when the automobile industry installed wireless access into vehicles, like the Internet, your car is now an open system, available to outsiders.
"Once you have a connection to vehicles, you have an entry point for people to try to access," said Luludis. "The only thing standing in their way now is a standardized piece of software. It's a concern we need to address."
Although the potential for hacking into a car's computer system is real, experts are saying that there may be no money in it for hackers to work on vehicles, right now. But certain groups, such as terrorists, need no financial incentives to create fear behind the wheel of your car.
"All the malware attacks consumers are faced with every day have financial motives behind them," says Ryan Smith, a principal researcher with Accuvant Labs, who finds vulnerabilities in computer systems.
However, the increased reliance on wireless systems can make your car an easy target to attacks, said John Bambene, a security researcher with the Internet Storm Center, an international cooperative community that monitors cyber threats.
Potential threats to your car's systems start at the wireless entry into a car's computer system. Some of this access may be limited, based on how luxurious the car is. According to Bambene, wireless access to a car can be accomplished through: the satellite radio; GPS; automatic crash-response systems; and with the introduction of 4G, dashboard access to your cell phone; Internet services; and vehicle to vehicle communication systems.
Theoretically, a hacker could open car doors, activate airbags, deactivate your brakes, remove or add air to your tires (if you have air pressure monitoring), and turn your engine off while you are driving down the highway traveling at 70 mph. Once the hacker has access to one internal network, it is easy to move around inside your car's computer system.
Startling findings by CAESS reports on the real dangers
According to another report by the CEASS, "Experimental Security Analysis of a Modern Automobile," the amount of control and potential dangers posed are startling. The CEASS performed live road tests to see if they could affect critical car functions by hacking into the car's computers.
Two different cars were used, both traveling at 40 mph when the tests were conducted. Test were done by both embedding malicious code and by transmitting commands while the cars were moving.
The researchers found out they were able to forcibly and completely disengage the brakes, as well as activating the breaks while the car was traveling at 40 mph, lurching the driver forward. The team were able to control the internal and external lighting, and change the displays on the dashboard. In one instance, the speedometer in the car, while actually traveling at 40 mph, said it was doing 140 mph and the gear was in park.
One of the report's conclusions stated, "We knew that adversaries might be able to do damage by attacking the components within cars. We did not, however, anticipate that we would be able to directly manipulate safety critical ECUs (indeed, all ECUs that we tested) or that we would be allowed to create unsafe conditions of such magnitude."
The team also discovered that programming code can be added to the various systems within the car's network, and after allowing "malicious action" to occur, the code deleted itself. So if code was planted, say at a repair shop to cause a car crash, there would be no way to forensically retrieve the code after it deleted itself.
"Absent any such forensic trail, it may be infeasible to determine if a particular crash is caused by an attack or not. While a seemingly minor point, we believe that this is in fact a very dangerous capability as it minimizes the possibility of any law enforcement action that might deter individuals from using such attacks," the report stated.
Protect your car from hacking
Currently, there is little in the way to prevent hackers from gaining access to your car's computer systems. In addition, there has been only a few cases where a real hacker has hacked into car systems. It is the future that we need to worry about. Imagine this power in the hands of terrorists. This may have a crippling effect on our nation's transportation infrastructure.
In addition, the lives of our fighting men and women may be put into jeopardy if our enemy has the ability disable their vehicles, or create situations that results in crashing the vehicle.
Today, criminals are using the car's computer systems to their advantage. Police departments around the country are reporting that high-end professional car theft rings are using laptops to steal cars. In a television special on the Discovery Channel, a thief showed how easy it is to use a laptop to: disable the alarm system; disable the GPS and other tracking systems; start the engine; unlock the steering column and drive away.
The thief does not necessarily have to plug the laptop into the onboard computer if the vehicle is equipped with wireless access. Without wireless, the thief just needs to plug the laptop into one of the computer boards. In either case, he now has access to every system in the car.
Security is the responsibility of the manufacturers of automobiles, who, according to Bambene, are working at addressing this issue.
However, while waiting for the automotive industry to develop safeguards, Bambene has suggested the following steps you can take to protect your vehicle:
1) Ask about and familiarize yourself with your vehicle's wireless systems if you are purchasing a new car. Check your owner's manual or research online for any cars you already own. Check to see if any system on your car can be operated remotely.
2) Ask about remote shutdown capabilities of your vehicle. Many manufacturers are installing remote shutdown capabilities to help repossess any car the manufacturer is financing. Ask if there are any security measures and who has access or controls this system.
3) Service your vehicle at reputable dealers and repair shops. It is possible for unscrupulous operators to alter your vehicle's computer systems, making it seem to you that repairs are needed that aren't actually warranted. Since repair shops have their own computers, they can insert codes that will make you engine run rough, unable to start or shutdown, or appear to be overheating. Today, a car bases these decisions on computer code, which can be changed by repair shop.
4) "Be cautious about aftermarket devices. After-market car systems may not be as rigorously tested or designed, opening you to vulnerabilities," said Tarnutzer.
Copyright ©2014 by George McGinn. All Rights Reserved. Use and/or duplication of this material, including publishing, broadcasting, rewriting or redistributed is strictly prohibited. Except and link-backs allowed. For usage requests, contact author at firstname.lastname@example.org.