A recent article I read described the workings of two teams of computer scientist looking into the security vulnerabilities in our modern automobile industry. You see, the new generation of networked vehicles conveniently connects to the internet and all kinds of tech gadgets known to men or so it’s projected. The proverbial tradeoffs of convenience vs. security immediately start to play out. I like to take creative license from a security guru, who I have come to admire, to develop the following movie plot—crisis scenarios; which I hope would spark interest among my readers; followed by a healthy dose of skepticism about the risks we’re thrusted into in our ever more connected world. Bear in mind that I’m no Luddite; in fact I’m an avid user and fan of technology in the general sense, but I’m also a realist and recognize risk when I see it.
Two teams of computer security specialists at the University of Washington and the University of California are presenting their research describing how internet connectivity could render modern automobiles vulnerable to hacker attacks. In other words they claim to be “able to remotely control braking and other functions” using the same exploits that have been deployed effectively for so long in the PC industry. Their findings describe how access to software that runs the on-board computers for most late-model cars can be taken over, to wrestle control from the driver; while in motion, over critical driving functions like braking (individually or selective wheels) and even shutting off the engine itself. These vulnerabilities exist despite the complex safeguards that have been programmed into the vehicle’s computer systems—once again “little thought has been given to the potential threat of hackers who may want to take over the networks that increasingly control modern cars.”
Worldwide, there are close to1 billion late-model cars on the road today; add to that our increasing appetite for cars that offer the latest and greatest in network connectivity; this alone is enough reason to be concerned about any potential vulnerabilities even hypothetical one. The recent Toyota crisis demonstrated just how unprepared the automobile industry has been to manage major safety defects in their vehicles. Let’s extrapolate from that ordeal experience by this car manufacturer, to illustrate the potential dangers that the study above reveals. Let’s just say for argument sake that some time in the not-so-distant future cars are in their third generation of internet connectivity; and hackers have figured out how to introduce malicious code to the cars’ onboard computer or Electronic Control Unit (ECU) via wireless (“wide-area cellular connections”) networks.
A wave of suspicious car accident reports have made it to the local press and word has started to quickly spread of a possible DoS attack or similar exploits; which has given hackers remote control over vehicle controls through “distributed internal connectivity and telemetric interfaces”. Breaking news flash informs the general public that the accidents have been caused by so-called involuntary breaking; which coincides with several other accidents around the country, including several cargo trucks that have veered off the road. The incidents have provoked major collisions on I-95 North, as well as on Route 280 South. There are no confirmed reports of fatalities, but people have begun to flood the car manufacturer’s toll free number.
You receive an anonymous email (Blackmail) from the Hackers Liberation Front, an unknown organization up until then, which threatens to destroy your car brand, through these deliberate remote vehicle safety device tampering, unless you pay a ten million dollar ransom. Your crisis management team springs into action….
The question hangs in the air, is this realistic crisis scenario or just a movie plot far removed from our current reality? Sometimes reality could be estranger than fiction. Over the last few years we have seen a dangerous fusion of organized crime groups with terrorist organizations under the umbrella of the global illicit economy. So far they’ve shown incredible adaptability integrating technology into their criminal operations and dexterity in the recruitment and employment of hackers to exploit weak network systems to extract huge profits. Since much of our society depends on mobility, the terrorist could perhaps seize the opportunity to disrupt our interstate supply chain by attacking the ECU technology inside our cargo trucks through their telematics systems. Just imagine that the very same safety and security (systems invented to make the driving experience safer (vehicle theft recovery, value-added features such as automatic crash response, and remote diagnostics) could be used against us in a manner tantamount to kids playing a warped video game in some far off place; all because of our shortsightedness, and yet another failure of imagination. That cannot stand.
What are we to do?
One thing is clear to must security-conscious individuals, whether you have conceptualized it this way or not; security is this complex tradeoff between convenience and loss of privacy, which we attempt to control based on our tolerance for risks. The majority of us has a very ingrained love affair with our cars and increasingly with high tech gadgets; therefore in some ways is logical that master marketers would combine those too, always with profit as the main motive. Security and safety are merely secondary, if at all. But it doesn’t have to be that way. The proposed “App Store” for automotive applications, as well as, “vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2X) communications systems” are not yet realities, which means that there is still time for car buyers to advocate or outright demand that security protocols (encryption technology, updated firmware with secure algorithms, that would in turn strength access control etc.) are built into the systems. Otherwise we would be buying anti-virus not only our burgeoning gadget collections, but also for our vehicles. Unless we are ready to accept having nefarious actors turn our thrill of the road into the nightmare of the road, we should demand that the car manufacturers assume their duty of care to protect ECU’s for all cars and trucks.