Computer viruses are nothing new. The brutal lessons learned from those who’ve survived them make us more cautious when surfing the digital wave on our devices. But how often do we think of our vehicles as motorized computers? Today’s automobiles include operating systems that provide climate control, fuel efficiency, satellite-based entertainment, automated safety features and more. Basically, we’re driving smartphones on wheels, something we tend to forget. Our vehicles are more connected than ever and with the automotive industry constantly innovating, they will only become more so. Because of this sophistication, concerns about the strange new cyber threat of car hacking are being raised.
Yes, we know car hacking isn’t exactly new. And other than a disgruntled former Texas car dealership employee’s remotely bricking 100+ vehicles to set off their horns and disable their operating systems, no actual malicious car hacking incidents have been reported. However, the infiltration of the Jeep Cherokee driven by WIRED Magazine writer, Andy Greenberg, on a Missouri highway by white hat hackers Chris Valasek and Charlie Miller is just one of many that have shown how vulnerable these systems are to cyber attack. White hat hackers are individuals who infiltrate computer systems in order to highlight security problems for companies to fix. They’re the good guys of the hacker world, those who find the weaknesses–sometimes even hired by businesses to do so–and share them with the manufacturers to help them strengthen their programs.
Black hat hackers, however, are the ones who break into the wireless network systems for malicious purposes. These are the bad guys of the hacker community. And as automobiles become more connected–self-driving cars–the need for lawmakers to take a legal stand to protect you and your 21st-century cutting-edge automobile from what is felt to be the inevitable actions of these perpetrators becomes more vital.
Car Hacking 101
Per the Tech Target website’s IoT Agenda, car hacking is “the manipulation of the code in a car’s electronic control unit (ECU) to exploit a vulnerability and gain control of other ECU units in the vehicle.” The ECU is your vehicle’s brain. It controls your entire engine. So, if someone’s able to hack into it then he or she is capable of making your automobile do pretty much anything he or she wants. And when you’re talking about a 6,000 pound hunk of moving metal, that’s rather scary.
Strict hacking laws proposed
As cars get smarter and more communicative, the ability to infiltrate them via a wireless network gets easier. Your vehicle talks to your phone via bluetooth, your MP3 player through the AUX cord, interfaces with other cars (V2V) and even sends signals to law enforcement through its license plate (automatic license plate readers or ALPR). With so much wide open access, it raises the issue of not just how would someone plug into your vehicle’s system, but when.
Two pieces of legislation, in particular, are gaining notice. Michigan State Senator Ken Horn and Michigan State Senate Floor Majority Leader Mike Kowall have teamed up to propose that car hacking in their state be punishable by “life or any term of years” in jail. Meanwhile, the Security and Privacy in Your Car Act of 2015 or SPY Car Act is a federal plan sponsored by U.S. Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.), both members of the Commerce, Science and Transportation Committee. The bill requires the National Highway Safety and Transportation Administration (NHTSA) and Federal Trade Commission (FTC) to collaborate on creating new standards for automakers to meet in regards to cyber security in their vehicles.
The NHTSA has actually been researching safeguards to combat car hacking for several years and continues to expand its knowledge in order to better address these concerns. Its Office of Vehicle Safety Research specifically focuses on ways to “strategize, plan, and implement research programs to continually further the Agency’s goals in reduction of crashes, fatalities, and injuries.” Part of that is addressing car hacking.
A meeting of the minds in legislation and the auto industry
Connected cars and autonomous vehicles are considered the safest solutions to the rising automobile fatality rate – 35,200 deaths were reported in 2015 with 94 percent due to human error, hence the recent announcement about legislation to encourage and regulate the technology. Because of the desire to put even more wirelessly-connected autos on the roads it’s vital to make sure they can be operated safely. In January, U.S. Department of Transportation (DOT) Secretary Anthony Foxx announced the unprecedented collaboration between DOT, NHTSA and 18 automakers to address preparations for combating cyber threats to vehicles. A document called the Proactive Safety Principles 2016 outlines four key areas of security focus and lists the partners who have signed on. These categories are Enhance and Facilitate Proactive Safety, Enhance Analysis and Examination of Early Warning Reporting Data, Maximize Safety Recall Participation Rates, and Enhance Automotive Cybersecurity.
In his statement, Secretary Foxx pointed out, “We all know that the performance today’s vehicles achieve is due in large part to an increasing amount of computer hardware and software under the hood and behind the dashboard. And the era of automated vehicle technologies will add to that. So we have pledged to work collaboratively to mitigate cyber threats that could pose unreasonable safety risks.”
A wealth of ports of entry
The hardware and software Secretary Foxx mentions have many ports of entry to the inner workings of your vehicle that leave it that much more exposed. Chris Valasek and Charlie Miller proved the fragility of cyber security not just once but twice in the same Jeep Cherokee they took over from Andy Greenberg. The first time was done over the internet and Fiat-Chrysler prompted responded by fixing the issue. However, a second attempt prior to the August Black Hat conference showed that the two researchers could affect a more dangerous hack when plugged into the ECU under the dashboard to send messages to the car’s internal systems known as the controller area network or CANbus. It pointed out not only how someone plugged into the electronic control unit could attack the vehicle’s brain, but that doing so over a wireless network is still an issue.
Consider this scenario: you take your car to the shop. The mechanic plugs into your automobile’s ECU to gain instant access to the CANbus, adjusting and fixing whatever’s needed. Great.
But, while the auto repair person is communicating with the inner workings, it leaves your car’s digital door open for anyone else with enough know-how to hack into your on-board diagnostics (OBD) portal via remote. This is also the port into which you plug the dongle your auto insurance company gave you to track vehicle miles traveled (VMT). So imagine that all of the information floating around in there is vulnerable to anyone with a little car-hacking savvy to break in and control your car without your say so.
The OBD isn’t the only susceptible spot. There is the in-vehicle infotainment (IVI) capability that connects with everything from navigation systems to gaming and movies that can play on the screens in your backseat for the kids. Your bluetooth can be enabled so you can speak hands free – a law in some states – to any of your contacts in your cellular network. And every time you engage in wireless activities while you’re driving – upgrade a phone app, listen to driving instructions, access music – your vehicle’s system is open to anyone who wants to come in.
Five quick DIY anti-car hacking tips
Today’s connected cars are super efficient, wonderfully eco-friendly and incredibly convenient. They are also machines that have created a whole information highway of their own by allowing access to their operating systems through different portals and devices in a unique way. Right now, the possibilities of being a victim of car hacking are rare. However, the concern that it’s only a matter of time before black hats decide to give it a go are real. While lawmakers work on auto legislation and car manufacturers innovate to keep you and your vehicle secure, you too can take some simple steps to help yourself.
In the spirit of “forewarned is forearmed,” here are five steps you can take to protect your car and yourself:
1. Know Your Mechanic
Make sure you’re familiar with the person who works on your car. That OBD he’ll plug into gives him all-access to everything inside your engine’s brain. Protect it.
2. Watch what you plug into your dashboard
Be careful with the USBs and flash drives you plug into the ports in your dash. Know the source of the information you downloaded to transfer to your vehicle’s brain. Malware has been known to be uploaded into the car’s operating system through these sticks, thereby compromising it.
3. Familiarize yourself with your OBD port and check it
Find the port and check it from time to time to ensure it doesn’t look tampered with and no strange dongles are connected. If you notice anything amiss, contact your carmaker.
4. Use your car key to lock and unlock your car
Scanning your wireless key fob system is the easiest thing to hack on your automobile. Every time you use it, it sends out a signal that can be plucked to allow someone to get inside your vehicle and steal it, the contents or meddle with your controls.
5. Keep up with system updates
Just as with your phone and computer, your car’s digital brain requires periodic updates. Get them installed immediately. Some of these need to be done by the dealer and others can be done by yourself. However, it’s best to work with your automaker to ensure these are being handled appropriately. If nothing else, it will walk you through installations and help you should you discover something amiss with your automobile.
Familiarize yourself with your car
Ultimately, keeping in tune with your vehicle will help you stay on top of any issues that could arise. This is a new age of automotive innovation that opens up amazing opportunities, but with those come a slew of possible dangers. Legislative inroads are being made in an effort to protect connected car owners, but these are still in the proposal stage. Taking an active role in the security of your automobile now will prepare you for the autonomous road ahead.