In a move that both attracts young, tech-savvy car shoppers and makes the automobile a mobile device, car manufacturers are making connectivity a top priority. It’s becoming the norm to see remote start, streaming music, remote locking and unlocking, wireless tire pressure monitors, Bluetooth, and rolling Wi-Fi as standard features on the car lot. Ford models can send text and email alerts to drivers. Chryslers and Dodges constantly update traffic information and help the user reroute to save time. Mercedes’ mbrace, BMW Assist, and GM vehicles with OnStar technology allow for remote disabling of their engines in the event of theft. Update your Facebook status on the go in GM vehicles with their connectivity options. It’s not about power windows and locks anymore. Smartphone users are expecting the same convenience from their cars, but automakers are innovating faster than ensuring data stays secure.
The Jeep Cherokee Hack
In July 2015, Charlie Miller and Chris Valasek, who first worked to control a Ford Prius and a Ford Escape, demonstrated the dark possibilities by wirelessly controlling a Jeep Cherokee. In what’s called a “zero day hack,” the two set up the demonstration with a journalist from Wired magazine in St. Louis. The driver, heading downtown at 70 MPH, experienced the hackers blasting cold air, turning on the windshield wipers, and changing the radio station. They sent their commands through the vehicle’s entertainment system. Miller and Valasek successfully turned off the Jeep’s transmission, lowering the car’s speed, taking over the steering wheel, engaging the brakes, and cutting them out all together. Their demonstration was done using two laptops ten miles from where the vehicle was traveling.
The hackers have discovered a vulnerability through the car’s cellular connection allowing them to enter and rewrite a chip in the head unit of the vehicle. Once in, they are free to rewrite the chip’s code and send silent commands without any geographic proximity. Even though there are many automakers, just a handful of suppliers sell the electronic equipment used. Often these new systems are patched into existing ones turning the interconnectivity into a major vulnerability. The number of computers onboard a vehicle has generally doubled over the past eight years creating numerous opportunities.
Miller and Valasek have shared their research and findings with automakers. Soon after their demonstration, Fiat Chrysler recalled 1.4 million of their vehicles to close a similar security gap. Miller and Valasek are also working as advocates for consumers unaware their conveniences may come with a steep cost. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller says. “This might be the kind of software bug most likely to kill someone.”
Expanding upon their findings, the two researchers say it is possible to locate and target a specific person’s vehicle. With enough skill, hundreds of thousands of vehicles can be linked and wirelessly controlled together. Crashing a car is obviously the extreme outcome, but a jealous ex can track their spouse’s whereabouts and even record conversations inside the vehicle. High-tech thieves could replace a slim jim with a laptop to simply unlock a car, start it, and drive away.
Legislators are drafting a bill to set new standards for security across the industry and provide a rating system for consumers. It is estimated that the security as a whole throughout the automobile industry is 15-20 years behind computer OS security. Hugh Boyes with the Institute of Engineering and Technology said, “Recent reports analyzing software show that 98% of applications have serious defects and in many cases there were 10-15 defects per application.” Research conducted by the Ponemon Institute revealed that security is not a component of the software development lifecycle (SDLC) in the automobile industry. They also reported that while security is important to developers, they know they lack the skills and training necessary to make secure systems.
Several protection measures may prevent, or slow, these carhackings:
- Encrypted communications
- Store data remotely in the cloud
- System authentication
- Secure updates to fix vulnerabilities
- Security ratings similar to safety ratings to educate consumers
- Third-party testing
- Internal monitoring systems that would alert if, for example, a tire pressure monitor was attempting to access steering controls
- Segmenting the architecture so that the computers are not as interconnected
Ford has since partnered with Microsoft to provide over the air software updates through the driver’s home Wi-Fi connection. BMW fixed a vulnerability that would allow doors to be unlocked through a flaw in their software earlier this year. Automakers are working to establish a clearinghouse to share intelligence about cyber threats and measures to protect against them.
Many new vehicle features that attract tech-savvy drivers leave much to be desired in terms of security. Remote start, engine disabling, and door unlocking are all highly-desirable features to current car buyers. But as technology outpaces car manufacturers’ ability to keep up with cybersecurity, car systems are at risk to carhacking.
CIPP Exam Preparation
In preparation for the Certification Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
Information Management from a US Perspective (I.C.b.c.d.e.g.)