Imagine that you’re cruising along at 112 kilometers per hour, confident in the stability and security of your brand new Jeep Cherokee. Suddenly, you begin to notice that the air conditioning has come on by itself. Next of all the music is increasing in volume and the windscreen wipers have taken on a life of their own. Finally, the engine cuts out.
This is what happened to Andy Greenberg, a journalist for Wired. Luckily for him though, two experts in computer security, Charlie Miller and Chris Valasek, had already warned him that this could happen.
From a distance of 15 kilometers, the two investigators were able to control the vehicle by taking advantage of a vulnerability in the navigation and entertainment system, Uconnect. Chrysler chose to cover over the problem with a blocker that the client had to download, but eventually they admitted that they had to recall up to 1.4 million vehicles.
The Internet of Things has come down heavily on the automotive industry. According to a report by Gartner, more than 150 million cars will be connected by 2020. However, the security of their systems is still a pending issue.
This isn’t the first time that these investigators have called on the manufacturers to pull up their socks. They have spent three years studying how to hack smart cars and have passed on their concerns to the lawmakers.
US Senators Richard Blumenthal and Ed Markey hope that a new law will establish a series of standards of protection to ensure the safety and privacy of the information of these vehicles. Markey commissioned a report which concluded that, with this technology, there are new vulnerabilities that could be exploited by cybercriminals. The study also said that most car manufacturers surveyed were not aware of potential security breaches in their vehicles.
Valasek and Miller are not the only ones studying the errors in these smart cars. Security expert Samy Kamkar will present the details of a new attack on the OnStar system for smart cars at the DefCon security conference. This new attack can locate the vehicle, unlock and even start the engine, all from a mobile phone app called Remote Link.
Kamkar has shown that with a cheap homemade device (it only cost him $100, about €91), it is possible to intercept the information being sent to the smartphone to locate, unlock and start the engine.
A few months ago we learned that a 14 year old was able to hack a smart car and wirelessly activate the wipers, the locking system and the lights, all with a homemade circuit.
“The safety of these cars is virtually nonexistent, it is at the same level of protection as the desktop computers that we had in the 80s. The basic requirements of authentication, confidentiality and integrity are not strong,” warned Andry Rakotonirainy, a researcher at the Accident Research Centre and Highway Safety at the Queensland University of Technology. According to this expert, while the technology continues to advance, so does the risk associated with it.
According to forecasts by Gartner, within five years we could all be driving a smart car, while Google reckons we’ll be occupying the passenger seat, as it expects to start selling its famous autonomous cars that year. The FBI has already warned, in an internal report, of the danger that cybercriminals can pose to the safety of autonomous cars by making them ignore traffic lights and speed limits, or to even schedule car bombs.
Despite the advantages of our cars being connected to the Internet, such as allowing us to publish on social networks or to listen to internet radio, this wireless connection has opened up a new range of vulnerabilities. We better hope that car manufacturers begin to consider security from the current design of smart cars and future autonomous cars to prevent any cybercriminal from locating our vehicle and making a fool of us by, hopefully, just messing with our windscreen wipers.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
