The Connected Car Security Problem No One is Talks About

Matthew Young is a Boston based freelance writer. As an aspiring automotive journalist looking to make a name for himself in the industry, he is passionate about covering anything on four wheels. When Matthew is not busy writing about cars or new emerging tech, he usually spends time fiddling with his camera and learning a thing or two about photography. You can tweet him @mattbeardyoung.

The future of the car has been decided, and it involves an always-on data connection that can enable new types of interaction and data aggregation for both auto manufacturers and motorists. Much has been said on the connected car and its impact on daily driving, but one topic remains scarcely covered as cars converge with high-speed mobile data connections.

Hacking, which has become all too common on personal computers, tablets, and smartphones, poses a real threat to the connected car market as these models become more widespread and more advanced. With anywhere from 50 to 100 miniature computers found underneath the hood, cars are an easy, if moving, target for today’s hackers. Before buying into the connected car revolution, and paying a premium for these features, it’s a good idea to understand the three types of hacking that affect connected cars and what the potential impacts of these hacks could be.

The Three Types of Potential Connected Car Hacks

Connected cars feature both wired and wireless points of entry for malicious code that could do anything from remotely disabling the ignition to stealing valuable consumer data. The three types of hacks that affect connected cars include each of the following:

• Indirect Physical Hacks: Using the car’s OBD-II information port, or even a USB media connection to an iPod, smartphone, or tablet, hackers could transmit malicious code to the car’s central data system or infotainment system. This data could allow for a remote takeover of the car, data theft, or disabling of key vehicle features, all without the driver’s knowledge and with virtually no indication that such an attack is happening.
• Short-Range Wireless Hacks: Cabled attacks aren’t the only way to compromise a connected car. Wi-Fi, Bluetooth, and RFID connections like those from a keyless entry remote, could also be used to compromise a connected car in some way. This is especially true for the newest connected cars, which are connected to 4G LTE data networks and are often paired with a smartphone control app.
• Long-Range Wireless Signal Hacks: While performing a short-range attack the attacker needs to be within several feet of the vehicle, long-range signals can compromise the vehicle from a far greater distance. Long-range signals could include satellite radio, GPS, crash reporting, and mobile data signals that are received by the car. These signals can carry quite a bit of data, and corrupt data could be used to override the car’s security systems and gain access to key controls.

The Worst Case Scenario: What Could a Hack Do?

Remember, up to 100 tiny computers are installed inside most of today’s most popular cars. The number of functions controlled by these chips is always increasing, but currently includes things like automatic headlights, blind spot monitoring, keyless ignition systems, speed regulation, automatic door locking, brake systems, and much more. Despite each of these tiny computers working on a separate function of the vehicle, compromising the entire system is possible thanks to the car’s use of a Controller Area Network (CAN) bus.

The CAN bus ties all of the computer and information systems installed in a vehicle together. That means it’s possible to create a targeted attack, through the CAN bus system, that disables only certain components of the vehicle. This could result in a potentially more serious risk to personal safety in a worst-case scenario. Despite the use of this in-car communications system and the risks that come from a connected vehicle, some protocols can be put into place to prevent malicious access to the underlying technologies in connected vehicles.

Preventing the Hack: What’s Being Done by Automakers

In 2011, researchers at the University of Washington and the University of California San Diego collaborated on a project that sought to fully hack and compromise a car through its OBD-II information port. The attempt was successful, and the researchers were able to successfully compromise the vehicle with relative ease. This set off alarm bells in the automotive industry. Ever since, car manufacturers have been making small adjustments to car technologies in an effort to prevent even more serious hacks, especially those over short-range or long-range wireless signals, from succeeding. These measures include:

• Encryption: OBD-II data, for the most part, has not historically been encrypted. The vast majority of information transmitted by this port could be read and manipulated quite easily. That’s changing over time, with manufacturers implementing tough encryption that makes it harder to compromise the car through the OBD-II port.
• Separating Key Systems: The CAN bus links a car’s various computers and information points together, leading to the potential for a full-vehicle compromise. Increasingly, manufacturers are separating key safety systems from “accessory” systems so that the safety of passengers can be assured in the connected car era.
• App Control: Manufacturers now have stringent standards for apps that wish to be included in, or have access to, infotainment screens and systems. Any insecure or exploitative app is rejected or eliminated from the system before it can pose a risk to the driver.
• Verification: Data sent between two systems in the car is now double-verified, just like a credit card transaction at the point of sale. This helps to eliminate the opportunity for malicious code to make its way into key computer systems.

Steps like these are essential to improving the security of connected cars, including today’s most at-risk models. In an examination of the potential “points of entry” for hacking attempts, cars like the Ford Fusion, Cadillac Escalade, and Jeep Cherokee were found to be most vulnerable. Each respective manufacturer is pioneering new ways to keep these cars, and future models, safe from malicious attacks.

Hope for the Future: Hacks Are Exceedingly Rare

Despite the real possibility of hacking connected cars, actual hacks “in the wild” remain very rare. Even the researchers at the University of Washington and the University of San Diego were only able to hack a vehicle through a physical connection and not a wireless one. Furthermore, hacking a car would take considerable time and financial resources, would require hackers to focus on a single vehicle model or driver.

Currently, this type of hacking just isn’t an affordable, profitable, or practical pursuit. Thankfully, this means that malicious hacking of connected cars remains exceedingly low. It’s likely that this will remain the case well into the future, but preventative measures taken now will prevent serious safety headaches down the road.