The wave of new data technology making its way into the next generation of cars – ranging from vehicles which semi-autonomously drive themselves, to realtime data streaming onto head's up displays – begs the question: will they be safe from cyber shenanigans, or will you have to deploy security software on your next (probably hybrid) car?
At Blackhat last year, I watched a demo of hacking a car using wireless, where they were able to unlock its doors and start it up. The team that did the demo disclosed the situation to the car manufacturer, with the hope they could put protections in place to stop those with less-than-noble intentions (and free time) to try the same. But what if the hacking team decided to go the “Dark Side” and started unlocking cars and driving them off to chop shops?
Traditionally, cars have had rudimentary computing systems, implemented to carry out fixed tasks like measuring fuel for injection, making your transmission shift more smoothly under gentle acceleration or to improve gas mileage – things like that.
But with some manufacturers hoping to roll out location-aware browser-based or embedded information systems, can scams be far behind? Browser-based exploits have a long and inglorious history on more traditional platforms. So with the computer power required to launch these new data-driven cars, ushering in a raft of accompanying full-featured embedded computers, can that be a more full-featured scam platform as well? As we've seen with recent Java-related exploits (with more independence from the underlying host OS), it's easy to imagine a Java app working its way into the car systems and doing things you wouldn't suspect in your car, like exfiltrate your data to some remote location (or far worse).
To be sure, manufacturers of cars tend to test their systems a little more fully than a hot Silicon Valley startup vying for VC capital, where the motto tends to be “launch fast, iterate fast.” But cars tend to stay around for 10 years or more, making a vulnerability in the software stack more tricky to manage, especially over time. Automotive recalls are famously expensive, and tend to have a cooling effect for the brand in general, but what happens when some corner-case (or mainstream) hack crops up on a several year old model, as in the case of the Blackhat demo? While there may be an update cycle that can be pushed over-the-air, updates and patch cycles gone awry could have much more scary side-effects than, say, your mousepad not scrolling like it used to.
Generally speaking, auto manufacturers seem to be planning more batches of read-only interfaces than read-write, where the car simply reports on systems and information, so there's less chance of systems introducing problems, say, from users grabbing a keyboard, logging in as Administrator, and then installing things. That's a good thing. But still there are myriad wireless technologies in the works to serve up information to occupants, and that tends to also have the ability to be susceptible to nefarious downloadable nastiness.
Will we see anti-malware software for your car? I think it's too soon to tell. Hopefully good design will blunt or remove the need. On the other hand, it certainly opens up new horizons for those seeking to socially engineer you based on information that may be gathered from your car's systems, obtained either ethically or otherwise, directly from the car, or down the line. If retail marketers knew you always drove past their store, they might target their messaging to be relevant to you, especially if they could data-mine from the streams reported by your car. And the thought of automotive-based ransomware is very scary indeed; whether or not it could disable your car or simply purport to, it's still unnerving.
Hopefully, manufacturers will engage the security community early and throughout the process to help with analysis, recommendation, and testing, which will hopefully keep us all safer from car-based hacks. If that fails, you may find even more motivation to dust off that Corvette restoration project sitting in the back of your shed and breath new life into it. It's old and boring technologically-speaking, but you know what you're getting, and not more.
For more reading on this topic, check out:
- Article on vehicular vulnerabilities in Scientific American last year.
- A 2010 article from "The Truth About Cars" describing core automotive computer technology like OBD-II and ECU, and CAN.
- Interesting 2010 research paper referenced in the above article: Experimental Security Analysis of a Modern Automobile.
- Need help finding the ODB-II port on your car? It is the same technology the Progressive insurance company uses for its "Snapshot" rate reduction device.