The most recent film in the Fast & Furious franchise contained a memorable set piece in which a hacker remotely takes control of hundreds of cars, sending them racing through the crowded streets of Manhattan, dropping out of multi-story parking garages, and colliding in massive pileups. This might be just an over-the-top action movie fantasy, but the possibility of hacking cars is a legitimate growing concern.
Remote attacks on cars date back to at least 2010—when a former employee at a car dealership in Texas remotely disabled customers’ cars via an online app—and the danger is increasing with the growth of autonomous vehicles and smartphone integration. Some say the media has overstated the risks, while others say that car hacking will cause a great deal of danger in the near future.
Even outside of self-driving cars, vehicles are increasingly reliant on internal computers. A 2015 white paper by SANS stated that the average high-end car contains over 100 million lines of code. A car’s computerized components communicate via an internal network known as the “CAN bus”. This architecture is 30 years old, and therefore was not designed with cyber security in mind. Getting access to the CAN bus is how many car hacks occur.
Because a car’s systems have to be able to respond instantly to commands—e.g. the application of the brakes—the CAN bus system is designed for maximum efficiency. That is, it was built to act; not to verify the legitimacy of every command. This emphasis on efficiency also means that the CAN bus lacks the proper segmentation and boundary defense controls that you would see in most modern networked systems.
In a demonstration at the 2015 Defcon hacking conference, Charlie Miller and Chris Valasek pulled off what is probably the most famous car hack to date. Miller and Valasek took over a Jeep from miles away, disabling its transmission and brakes. This led to a massive recall of Fiat Chrysler vehicles in order to fix the vulnerability that was exploited.
The Jeep hackers entered via the Internet-connected entertainment system. Because of poor segmentation, they were able to move within the network to gain access to the CAN bus. This initially gave them limited control, because they could only fully manipulate the car while it was in “diagnostic mode”, which was disabled when the car was at speed. Eventually, they were able to override the safety controls, put the Jeep in diagnostic mode at full speed, and thereby take complete control. The demonstration was a striking example of how dangerous a car hack could be under the right circumstances.
The “Jeep hack” was just one example of how hackers might gain control of a car. Researchers at the security firm Kaspersky recently completed testing on nine car-connected Android apps, and found them to be severely lacking in security controls. By rooting the driver’s phone (an exploit used to gain privileges within the operating system), using overlay malware, or executing a simple phishing attempt, hackers could use these apps to locate a car, unlock it, and start its engine. In 2015, well known hacker and security researcher Sammy Kamkar demonstrated the he could also compromise car-connected apps by attaching a small device to a car to intercept credentials. Credentials like these are already being bought and sold in hacker forums.
The risks of car hacking have evidently captured the imaginations of journalists, researchers, and consumers, but there are those who say the danger has been overblown because it is an exciting topic. A 2016 article in Scientific American by David Pogue accused Wired of “scare-tactic journalism” regarding car hacking. Pogue argued that no one has ever succeeded in remotely controlling a stranger’s car, and that the famous examples of car hacking, such as the “Jeep hack”, required prolonged access to the target vehicles. Pogue also downplayed the dangers of car hacking based on other points, such as that cars are only susceptible if they rely on cellular internet service, automakers are quick to fix identified vulnerabilities, and the “hackers” finding the flaws are white hat researchers—not legitimate cybercriminals.
History may prove Pogue’s position to be naïve, as his general argument seems to be that because a true car hack hasn’t happened yet, it won’t happen soon. However, he does provide the important perspective that car hacking is the type of scary idea that often draws disproportionate attention from the media.
Whether car hacking is a problem of the future or the present is up for debate, but as our vehicles become increasingly connected to the digital world, cyberattacks will become inevitable. Cars can be considered as part of the Internet of Things (IoT), the growing world of appliances and everyday objects that are connected to the Internet. Many experts see the IoT as the next great frontier of cybersecurity, as hackers target these often poorly protected devices. Because cars carry such potential to cause injury and damage, it is imperative that manufacturers prioritize protection against cyberattacks.
More than 100 Fortune 500 companies, including some of the world’s largest automakers, use D3’s incident management platform to detect, manage, and respond to security incidents. Book a demo to learn more about how D3 can help you mitigate the damage of cyberattacks.