Corbis

Carhacking

Intruders can tap into vehicle systems to access cellphone calls, GPS signals—even the brakes—with no industry regulations in sight.

A U.S. senator drives from Capitol Hill to her home in Virginia, listening to the CD a constituent gave her. Going with the speed of traffic at 60 miles per hour, her brakes suddenly engage. Then an SUV rams the politician’s sedan from behind, killing her on impact. It turns out an extremist assassin had hijacked the car’s controls after infecting the CD with malicious code that penetrated the vehicle’s network. 

In another scenario, two intelligence agents driving to CIA headquarters get a call from their branch chief, which the driver answers on a hands-free Bluetooth connection. After hanging up, the agents brainstorm how to pursue the tip they’ve just received while a foreign intelligence operative records their conversation. The adversary had cracked the Bluetooth system to bug the in-car microphone.  

Think about cyber threats and probably the last thing that comes to mind is your car. But cars can expose personal information through features like OnStar and Ford SYNC. Hackers can unlock the doors, kill the engine and deactivate the starter. For now, the chances of such exploits happening at this point are slim, given the sophisticated technical skills required. But they will become easier as car systems become more intertwined with commercial communications networks.  

Researchers have proved during live road tests that these wireless attacks can work. Aggressive driving could take on new meaning in the absence of cyber rules for the road. 

Wireless services like SYNC and OnStar embedded in an in-dash electronics panel can offer attackers access to personal information and critical operational components, like brakes. 

Bluetooth and cellular links have “roots in other worlds,” says Stefan Savage, a Univer-sity of California, San Diego computer science professor and principal investigator on the hack experiments. “Bluetooth is not just used in your car. It’s used in your iPod. It’s a very general protocol that’s designed to do a lot of different things and that tends to create problems.” 

No Rules 

The really scary part: There are no guidelines for automobile cyber safety. Regulators either won’t or can’t do much about the risks.

In response to questions about  the status of network security research and mandates, National Highway Traffic Safety Administration officials said in a statement that “NHTSA is aware of the potential for ‘hackers’ and other cybersecurity issues whenever technology is involved; however, the agency is not aware of any real-world cybersecurity issues in vehicles.” When asked by Government Executive whether NHTSA is developing recommendations for manufacturers, officials referred back to the statement.

Security problems are real, however. In 2010, a disgruntled former employee of an auto dealership allegedly remotely deactivated the ignition systems of customers’ vehicles in Austin, Texas. That same year, the researchers showed how intruders can infiltrate computers tied to virtually every aspect of a car’s functionality, including speedometers and entertainment consoles. 

Practically speaking, regulating cybersecurity on the road would be a feat for many reasons, say academics and privacy advocates. For one thing, the rule-making process would constantly lag behind quick-morphing threats. Also, NHTSA might not even know what to say, judging by a recent National Academy of Sciences study that found the agency is in the early stages of understanding vehicular network security. Some experts reason that NHTSA is not acting because the agency typically doesn’t until a safety issue is pervasive on the road.

“There’s no clear evidence or no clear strict need for regulation at this point,” says John Maddox, who was NHTSA’s associate administrator for vehicle safety research until August 2012. “What we do need is to conduct the research to study the problem very carefully.”

Most experts agree that regulators, manufacturers and consumers must get a better handle on vehicle cyber defenses.

At least four institutions and two automobile associations are developing recommended best practices. In 2011, the Transportation Department’s John A. Volpe National Transportation Systems Center presented NHTSA with advice on how to go about drafting guidelines. In November 2012, an agency official involved in cyber research planning spoke out about car safety and dependability at a workshop the University of Maryland hosted.

Revving Up Research

NHTSA’s 2013 budget request suggests that the agency may be weighing regulations. The document reveals plans to “conduct rule-making-ready research to establish electronic requirements for vehicle control systems” in everyday cars. The budget proposes establishing a $10 million program to study cyber risks, starting this year.

The National Academy of Sciences’ study, which was released in January 2012—and famously dispelled allegations that Toyota electronics caused unintended acceleration—urged NHTSA to get up to speed in cyber. The report criticized the agency for lacking the technical competency to probe the Toyota issue without outside help. NHTSA’s Office of Vehicle Safety Research does not study cybersecurity, according to the academy.

The proposed 2013 agenda aligns with the academy’s advice and also would involve other cyber-related federal agencies. Already, the Defense Department’s Cyber Crime Center, which is the Pentagon’s computer forensics hub, has examined the SYNC in-car voice- recognition system to flag potential threats, according to contractor Lockheed Martin Corp. Under the budget strategy, NHTSA staff would attempt to pinpoint problems in car electronics before they go into production. 

Sen. Jay Rockefeller, D-W.Va., chairman of the Commerce, Science and Transportation Committee, plans to follow the regulator’s progress in charting cyber concerns, committee aides say. “The chairman is aware of the potential issues revolving around in-car computers,” Rockefeller spokesman Kevin McAlister says, noting the committee “will work to ensure that NHTSA performs the necessary actions to protect drivers and passengers.”

In the lab, researchers from UC San Diego and the University of Washington overrode an assortment of car safety systems, unafraid to meddle with the engine. “The kinds of things you worry about is either that your car is leaking information that you wish to be private,” such as your driving habits or what your passengers are saying,  “or that an adversary can control features of your car,” Savage says.

During one expedition, the team was able to access a car’s internal network to disengage the brakes, making it difficult for the driver to stop. The investigators also succeeded in forcing the brakes to deploy, lurching the driver forward. Another demonstration showed how seemingly innocuous car tools facilitate these sorts of attacks, such as infected music CDs, FM radios and wireless tire pressure sensors.

Car-Code Attacker

Citing the researchers’ work, the academy pointed to an actual cyber incident that highlights looming dangers. The dealership ex-employee reportedly manipulated in-car systems that lock the engine when clients skip payments—essentially an alternative to repossession. By exploiting the program, he immobilized the starters and Global Positioning Systems on about 100 vehicles, leaving drivers’ parked cars stranded. “Obviously, had such an attack compromised a vehicle’s power train, braking and other operating systems while being driven, the consequences could have been much more severe,” the academy report stated.

Perhaps the creepiest situation, albeit highly theoretical, is one in which thugs send unwitting drivers on suicide missions. “One can easily envision hypothetical cyberwar or terrorist scenarios,” in which attackers commandeer vehicles en masse via an infected audio file “and then, later, trigger them to simultaneously disengage the brakes when driving at high speed,” the research team speculated. 

Some former NHTSA officials say that until there is hard proof of real-life threats, mandatory standards would be superfluous and costly for manufacturers and the government. “I’m not ruling out the need for regulation,” but it has not presented itself yet, says Maddox, now director of collaborative program studies at the Texas A&M Transportation Institute.

If the auto industry develops voluntary standards, NHTSA then should consider whether to release its own guidelines, he says. The U.S. Council for Automotive Research, which includes engineers from Chrysler Group, Ford Motor Co. and General Motors, has deputized a task force to work on cybersecurity controls. SAE International, an association of automotive engineers, also is examining the issue.

Ford officials rolled off a list of cybersecurity precautions they take in assembling vehicles, including SYNC-enabled cars. The manufacturer checks key interfaces in “fuzz” tests—a technique that spews random information at automobile software while specialists monitor for signs of failure. Ford spokesman Alan Hall says specialists simulate possible vulnerabilities during production by looking at the people, parts, data flows and other functional elements “to determine where we may have issues with things like data integrity, information disclosure, denial of service, escalation of privilege, tampering or spoofing, etc., and then determine one or more mitigation strategies.”

SYNC has a built-in firewall and an application white-listing function that dictates which programs can be launched in car systems. Also, the vehicle control system network is separate from SYNC’s infotainment features, according to Hall. Software updates must be “code-signed,” or validated as Ford-authored to launch, “thus preventing unauthorized software installation and access to private information,” he says.

Industry Standards

Maddox says a voluntary regime of cybersecurity safeguards, like the manufacturers’ ongoing efforts, might be appropriate for the constantly evolving field of hacking. “The industry would be more knowledgeable and more nimble than government can be in this area,” he says. Some privacy groups agree that automotive companies should take the lead in writing cyber standards. “The car manufacturers have a lot of incentive to not put cars on the road that are inherently vulnerable,” says Joseph Lorenzo Hall, senior staff technologist with the Center for Democracy and Technology, a civil liberties organization.

If drivers start complaining about “someone messing with you on their OnStar,” that’s where NHTSA might have to step in, he says. Such a gaping security hole might force a recall and ex post facto regulations for cyber safety tests. A computer weakness “probably doesn’t reach their radar until there is big potential for something very bad happening on the road,” he adds.

Other activists, however, want hard regulations because they believe rules are both necessary and within the agency’s authority to hand down. 

“The potential for drivers in the United States to have their cars tracked or compromised by security flaws in vehicles’ embedded computers is a matter of both driver safety and security,” says Amie Stepanovich, associate litigation counsel for the Electronic Privacy Information Center. “Regulations would provide guidance for vehicle manufacturers and baseline protections for all drivers in the United States.” She adds that existing state data breach laws might offer citizens some protections, but such legislation is inconsistent and nonexistent in some states.

The university researchers are reluctant to press for regulations, acknowledging standards development will be challenging, but they are encouraged by NHTSA’s apparent attention to their studies. “We’ve talked with them many times, we’ve been at workshops with them on the topic . . . From my standpoint there certainly appears to be interest and activity related to better understanding the cybersecurity problem and what to do about it,” Savage says. He says he is not familiar with regulatory politics or NHTSA’s thinking.

“It would be very easy to dictate a set of requirements that would either do little good or would be unworkable in practice,” Savage says. Today’s global marketplace means many hands from many part-makers in many facilities touch U.S. cars. “There are complex supply chain issues here because automotive manufacturers are really integrators. There may be no single person who has access to all the source code that goes into a modern vehicle,” he says, adding that requiring manufacturers to test the whole vehicle may be unfeasible. 

Savage adds, “The standards process is going to take a while.”

NEXT STORY: Preventing the Next Disaster

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.