The Middletown Press (Middletown, CT)
Automakers rush to add wireless features
Cars left open to hackers
The complaints that flooded into Texas Auto Center that maddening, mystifying week were all prettymuch the same: Customers’ cars had gone haywire. Horns started honking in the middle of the night, angering neighbors, waking babies. Then when morning finally came, the cars refused to start.
The staff suspected malfunctions in a new Internet device, installed behind dashboards of second-hand cars, that allowed the dealership to remind customers of overdue payments by taking remote control of some vehicle functions. But a check of the dealership’s computers suggested something more sinister at work: Texas Auto Center had been hacked.
In addition to blaring horns and disabling starters, someone had replaced listings of Dodges and Chevrolets with names of top-of-the-line sports cars. The owners of these vehicles, meanwhile, now appeared to be an odd mix of rappers and fictional characters.
“Mickey Mouse was driving a Lamborghini,” recalled Martin Garcia, general manager of the Austin dealership. “We pretty much figured out within a matter of minutes that we had a problem.”
Police later reported more than 100 victims and charged a former dealership employee with computer crimes. Five years later, this incident remains noteworthy because of what has followed: An increasingly vast array of machines — from prison doors to airplane engines to heart defibrillators — have joined what is commonly called the “Internet of Things,” meaning they are wired into our borderless, lawless, insecure online world.
As the number of connected devices explodes — from roughly 2 billion in 2010, the year of the Texas Auto Center incident, to an estimated 25 billion by 2020 — security researchers have repeatedly shown that most online devices can be hacked. Some have begun calling the “Internet of Things,” known by the abbreviation IOT, the “Internet of Targets.”
Security experts detect disturbing echoes from previous eras of rapid innovation, notably the 1990s when the World Wide Web connected hundreds of millions of people to a thrilling new online universe. Warnings about looming dangers went unheeded until viruses and cyberattacks became commonplace a few years later.
Widespread hacks on cars and other connected devices are destined to come, experts say, as they already have to nearly everything else online. It’s just a question of when the right hacking skills end up in the hands of people with the sufficient motives.
“If you’ve learned anything from the Internet, it’s clearly going to happen,” said Kathleen Fisher, a Tufts University computer science professor and security researcher. “Now that we know it’s going to happen, can’t we do something different?”
The inherent insecurity of the Internet itself — an ungoverned global network running on technology created several decades ago, long before the terms “hackers” or “cybersecurity” took on their current meanings — makes it difficult to add effective safety measures now. Yesterday’s flaws, experts say, are being built directly into tomorrow’s connected world.
Among the most vivid examples came this week, when security researchers Charlie Miller and Chris Valasek demonstrated that they could hijack a vehicle over the Internet, without any dealership-installed device to ease access. By hacking into a 2014 Jeep Cherokee, the researchers were able to turn the steering wheel, briefy disable the brakes and shut down the engine.
They also found readily accessible Internet links to thousands of other privately owned Jeeps, Dodges and Chryslers that feature a proprietary wireless entertainment and navigation system called Uconnect. Valasek and Miller said they could, by merely typing the right series of computer commands, hack into these vehicles, almost anywhere they might be driving.
Government and industry officials are racing to add protections before techniques demonstrated by Miller, Valasek and other researchers join the standard tool kits of cybercriminals. In this battle, defensive forces have one clear strength: Connected devices run many types of software, meaning that an attack on one may not work on others. Even cars from a single manufacturer can vary dramatically from one model year to the next, hindering hackers.
“They haven’t been able to weaponize it. They haven’t been able to package it yet so that it’s easily exploitable,” said John Ellis, a former global technologist for Ford. “You can do it on a one-car basis. You can’t yet do it on a 100,000-car basis.”
Yet Ellis and other experts fear the race to secure the Internet of Things already is being lost, that connectivity and new features are being added more quickly than effective measures to thwart attacks. Long development cycles — especially within the automotive industry — add to the problem.
If a hacker-proof car was somehow designed today, it couldn’t reach dealerships until sometime in 2018, experts say, and it would remain hacker proof only for as long as its automaker kept providing regular updates for the underlying software — an expensive chore that manufacturers of connected devices often neglect. Replacing all of the vulnerable cars on the road would take decades more.
The drive-by hack
Cars sold today are computers on wheels, with dozens of embedded chips running millions of lines of code. These vehicles can talk to the outside world through remote key systems, satellite radios, telematic control units, Bluetooth connections, dashboard Internet links and even wireless tirepressure monitors. Security experts call these systems “attack surfaces,” meaning places where intrusions can start.
Once inside, most computer systems on modern vehicles are somehow connected, if only indirectly. Researchers who have hacked their way into computers that control dashboard displays, lighting systems or air bags have found their way to ones running transmission systems, engine cylinders and, in the most advanced cars, steering controls. Nearly all of these systems speak a common digital language, a computer protocol created in the 1980s when only motorists and their mechanics had access to critical vehicle controls.
The overall security on these automotive systems is “15 years, maybe 20 years behind where [computer] operating system security is today. It’s abysmal,” said researcher Peiter Zatko, a former hacker who once directed cybersecurity research for the Pentagon’s Defense Advanced Research Projects Agency and now is developing an independent software security research group.
Attackers don’t need to crash cars to cause trouble. A jealous, malicious hacker could use a vehicle’s navigation system to track his spouse’s movements while remotely activating the built-in microphone to secretly record conversations that happen in the car.
Thieves already are using mysterious “black boxes” that, through the radio signals that control modern entry systems, unlock cars as the crooks walk by; some simply climb in, start the engine and drive away.
The next wave of attacks, researchers say, could include malicious software delivered over the Internet to disable your car’s engine, with the sender offering to revive your vehicle for a few hundred dollars. Or the new generation of wireless links between cars and their surroundings — designed to improve traffic flow and avert crashes — could enable drive-by hacks. Imagine a single infected WiFi beacon on a stretch of highway delivering a virus to every passing vehicle.
“Cars are a major part of the Internet of Things,” said Sen. Edward J. Markey (D-Mass.), who this week filed a bill seeking minimum federal cybersecurity standards for cars, as long have existed for other systems critical to safety, such as seat belts and brakes. “We’ve moved from an era of combustion engines to computerized engines, but we haven’t put into place the proper protections against hackers and data trackers.”