Alfred Hitchcock, or Rod Serling could have never dreamt this one up. It’s pretty scary to think the same vicious clowns that crashed your home computer with a fatal virus, can now hack into your new car’s computer and start the engine while you sleep. Will your carbon monoxide detector awake your family before your garaged car gases out the entire house ending in tragedy?
It’s not just about carburetors, ignition points, or Powerglide transmissions anymore. The dawn of fuel injection, and overdrive automatic transmissions made a tremendous improvement in fuel economy, spent carbon emissions, and took expected engine life and powertrain performance up from 100,000 miles to 300,000 miles, but it was the introduction of the computer that changed how the automobile interacts with humans forever.
Super Chevy recently read an article by Asaf Ashkenazi on the subject and asked Mr. Ashkenazi to write an in-depth article tailored for Super Chevy’s audience.
From Asaf Ashkenazi, Vice President of Strategy at Inside Secure and Prepared for John Gilbert, Technology Editor at Motor Trend Group:
“Today’s cars have more in common with powerful computers than with their mechanical machine ancestors. And as more and more cars become internet-connected, cybersecurity has become a pressing issue for the automotive industry.
Most of the industry’s security efforts are rightfully dedicated to protecting the car’s numerous components. But as smartphones have become integrated into our lives, an entirely new type of vulnerability has been introduced, one with which car manufacturers are much less accustomed to coping. The apps that allow drivers to control their cars from their phones are a new entry point for attackers to breach.
These apps allow drivers to execute various functions, like starting and stopping the engine, locking or unlocking the doors or disarming the security system, etc. The apps can also track the vehicle’s location using GPS. Most of these apps don’t connect directly to the car, said Asaf Ashkenazi, an application security expert at Inside Secure.
“Typically, a cloud service takes requests from the app and forwards them to the vehicle via cellular link,” Ashkenazi said. “The car trusts any request it receives from its cloud service, so it’s crucial that requests are initiated from the right person.”
But smartphones and apps of all kinds can have vulnerabilities and unpatched security holes, says Ashkenazi. If an attacker were to compromise the car’s smartphone app, hackers could pass commands to the cloud service that would look like they were issued by a legitimate user, and the car would obediently follow them. “Hackers could unlock the vehicle, start it up and drive it away, all without ever needing to break in,” he says. On some models, they could even preset the A/C and music for their trip.
“This is a major change for car companies, because the security of the vehicle depends on the security of components that are totally separate from the car itself. The security of the smartphone determines the security of the car,” Ashkenazi continued.
Say, for example, you’re putting off your smartphone’s latest update. Or, say you’ve accidentally installed a malicious application or entered your login info to a scam website. It’s not just your personal information that’s at risk: it’s now your car as well. But Ashkenazi says that is not the worst-case scenario.
“There’s a bigger concern here. If a hacker managed to compromise the app’s security, this attack could be replicated to all users of the application, granting control to tens of thousands of cars through the cloud service.”
Online marketplaces already exist for email scamming tools and fake website kits, so it’s not a leap to imagine a hacker operating a service that unlocks an app user’s specific car on demand. Or worse, a hacker could remotely start the engines of thousands of cars, many of which would be in unventilated garages, resulting in serious injuries and potentially death.
This issue is far from a speculation -- we’re beginning to see these types of attacks already. One hundred drivers in Austin, Texas found their cars disabled or the horns honking out of control after an intruder ran amok in a web-based vehicle-immobilization system. And just recently, a British car owner woke up to a missing vehicle after two hackers used an iPad to unlock it and drive it away without the owner’s key fob. While both of these attacks had unique vulnerabilities allowing hackers to gain access, the risks will continue to grow as more and more functionalities are added to smartphones.
Protecting cars from cyber attacks will remain the responsibility of car manufacturers, but we should keep in mind that vehicle thefts and attacks may soon no longer require physical access to the vehicle or its components.
“Manufacturers should take note of the risks involved and protect their apps from reverse-engineering and tampering. Strong user authentication and securing application keys are important. After all, keeping users’ credentials safe from theft should be a grave concern to auto manufacturers, just like it is to us, the users.”