An unsuspecting driver opens her door and steps into her new car, placing her smartphone on the dash as it connects with the in-car infotainment system for hands-free features. Little does she know there’s a Trojan virus on her phone just waiting to be connected to a car – and it executes malicious code on the vehicle’s embedded software. Suddenly a hacker has the ability to track her car, unlock the doors, or even control the climate controls and speaker volume.
It sounds like a scene out of the next James Bond film, but the above scenario could be a reality today. As auto makers look to woo consumers with snazzy in-car technology features, they are also opening up personal vehicles to the underground community of hackers that have long targeted computer users. In-car IT systems such as Ford’s Sync or General Motor’s OnStar could be opening up exploits that allow hackers to take control of your car without even laying hands on it.
While complex in-car IT systems are so new that actual car hacking cases in the field are virtually non-existent, researchers have demonstrated it’s possible. But investigations into car hacking by police may be impossible at this point because of a lack of forensics capability to detect malware. All the more reason for security vendors like McAfee, now a division of Intel Corp., to push car manufacturers to pay serious attention to security.
“It shouldn’t be the responsibility of the consumers to have to secure these systems,” says Tim Fulkerson, senior director of marketing at McAfee embedded security group. “Just as manufacturers have built in seat belts and air bags, now that they’re moving to software innovation, they need to bring software security into these vehicles.”
Best known for its PC antivirus software, McAfee is now working with car makers to build secure enough systems that consumers won’t end up buying virus scan software for their ride. When it comes to car makers and securing IT system, Fulkerson says it “is certainly not their area of expertise.”
Perhaps that’s why a team of car-hacking researchers from the University of Washington and the University of California at San Diego have had so much success. Dubbed the Center for Automotive Embedded Systems Security (CAESS), the team demonstrated in May 2010 how a criminal with physical access to a car could implant malware. Then in August 2011, the team showed an external car hacking attack could be mounted through various paths including Bluetooth and cellular radio.
One such attack was executed after the researchers reverse-engineered a car’s telematics operating system and found the program responsible for handling Bluetooth functions. From there, they planted a Trojan horse (a piece of malicious software) on an HTC Dream smartphone that monitors for new Bluetooth connections and if it finds a telematics unit, sends the payload.
Researchers were also able to use special hardware to “sniff” the MAC address of the Bluetooth connection needed for pairing new devices with the telematics unit. After cracking the password through brute force, or machine-assisted repeat attempts, the Trojan could be uploaded from a device in the attacker’s hands.
But seeing such an attack executed in the wild today is unlikely, according to Patrick Neal, a program coordinator for crime and intelligence analysis at the B.C. Institute of Technology (BCIT). He had his students explore car hacking methods identified by the CAESS group and others.
“It would take a lot of energy and time to have it done,” he says. “We may not be able to answer these questions because we really don’t know what the forensic nature will look like.”
If hackers do crack a car’s security, they could wreak havoc by controlling many different systems, Neal says. One real world attack in early 2010 saw customers of the local Texas Auto Center experience baffling behaviour from their car – the horn would honk all night long, or the lights would flash on and off. Worse yet, some cars just wouldn’t start and others discovered their leases had been transferred to deceased rapper Tupac Shakur. It turned out a disgruntled former employee had decided to take out his frustration by hacking the company’s remote vehicle mobilization system.
Still, Neal says he hasn’t come across any case law in North America with evidence of car hacking. While there is forensic software to explore modern cars’ IT systems – such as Blackthorn’s GPS forensics software that can retrace routes from Garmin, Magellan and TomTom units – there’s currently nothing to test if malware has affected a car’s behaviour.
“We’re not aware of the exact nature of this malware,” Neal says. Modern car IT systems are so complicated that his students were unable to detect a piece of malware they had designed and implanted into a car themselves.
Today’s average car has 70 embedded IT systems, according to Forrester Research. Those are run on 10 million lines of code, a number analysts expect to skyrocket well into the hundreds of millions by 2015. Rather than rely on forensics to determine how hackers implanted malware into cars, McAfee hopes it will be possible to stop it from happening at all.
White listing is one security approach that could be effective, Fulkerson says. “For these sorts of devices, they should only run these specific files, and that’s it. It’s like a flu shot, once you receive the whitelist inoculation you’re immune from the malware.”
Another approach is to run car systems on logically separate computer systems within the car, so a piece of malware that infects the infotainment centre couldn’t see the system that controls the brakes. Isolating systems like this is a standard auto-makers are agreeing to through groups like the GENIVI Alliance, dedicated to broad adoption of an in-vehicle infotainment open-source development platform.
While manufacturers are taking responsibility for the security of their modern systems, driver veracity will also play a part in staying safe, Fulkerson says. “As cars become increasingly connected, you have to be a little bit more aware and ask questions about the security that’s been built into them, or not.”
Not a bad piece of advice for drivers who find their commutes painful enough without a hacker deciding to crank up the heat to full blast and blaring the latest Lady Gaga song at maximum volume.
Here are some other ways that hackers might be able to infect your car with malware:
- Modern cars have an OBD-II port used by mechanics to scan the car’s internal network of components and determine what needs to be fixed. Since the scanning tools used to access this port are programmed with a Windows PC, it’s possible a hacker could infect the PCs at an auto-shop, and in turn any cars being serviced.
- USB or iPod connection: A hacker could compromise a driver’s iPod with software that attacks a car’s media system, then wait for the unsuspecting driver to plug it in to the dashboard.
- Tire Pressure Monitoring System: A RFID chip designed to exchange information on a wireless band about tire pressure could be exploited to transfer data on to a car. Similar systems also exist in keyless entry systems.
- Cellular radio: Systems such as GM’S OnStar keep constant connection via cellular voice and data networks. Hackers could take advantage of this high bandwidth, two-way channel to implant malware from a great distance.
