As more software runs critical car systems, automotive cyber terrorism becomes a real fear. Experts fear cyber terrorists could target cars, tinkering with software in a way that causes accidents.
Imagine this grisly scenario: You’re driving down the interstate with the cruise control set at the speed limit. Without warning, your car accelerates. The speedometer pushes past 100 miles per hour. Suddenly, the car turns left and crashes into the concrete median.
If you are lucky enough to survive, you emerge from your wrecked vehicle and see crashes all along the highway. Hundreds of identical, high-speed accidents have taken place at the same time.
Although it sounds like a scene out of a Stephen King novel, experts are worried that sort of mass-scale automotive terrorist attack could actually happen here. As cars become reliant on software and electronics to run everything from infotainment to engines and brake systems, they are increasingly vulnerable to people with malicious intent.
“Cars basically look like they have for 50 years, but underneath they’ve changed dramatically,” said John D. Lee, a mechanical engineering professor at the University of Wisconsin. “A car is a rolling computer network with 80 to 100 microprocessors and 100 million lines of code.”
It’s become such a concern that last year, the National Highway Traffic Safety Administration quietly opened up a cyber terrorism department to keep track of software issues that could make cars vulnerable to attack.
Software is entwined with every conceivable system aboard today’s vehicles, linking everything from brakes, powertrain, and throttle to infotainment, Bluetooth connection, and MP3 players.
Connected cars -– or rolling computers -– hold great promise for automotive safety. Human error causes more than 90 percent of the 10.8 million motor vehicle accidents in the U.S. each year, according to Mitch Bainwol, chairman and CEO of the Alliance of Automobile Manufacturers. Safety developments both inside the car and along the highway could dramatically reduce accidents and fatalities.
But there is a dark side. Experts fear terrorists could launch an attack by breaching security in the software of a particular automaker or, in the years ahead, through the wireless infrastructure being developed to provide information for connected cars.
Critical systems hacked
“Can some 14-year-old in Indonesia shut a bunch of cars down because everything is wired up?” That’s the question U.S. Senator Jay Rockefeller posed to a panel of automotive experts during a Senate Commerce Committee hearing last month.
The short answer is yes. Researchers from the University of Washington and University of California-San Diego hacked into an ordinary, mid-priced, late-model sedan available to any consumer. They unlocked car doors, eavesdropped on conversations, turned the engine on and off and compromised critical vehicle systems.
In a follow-up experiment, the researchers, affiliated with the Center for Automotive Embedded Systems Security, breached all sorts of security measures, uploading malware from a doctored CD and obtaining “full control” over the sedan’s telematics unit by calling the car’s cell phone, according to their research.
They also compromised a Pass-Thru device, which helps auto technicians diagnose problems, which allowed them to subsequently connect to every car that later was plugged into that device. This was particularly troublesome because it meant hackers could infiltrate more than one car from a single entry point.
“We demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input –- including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on,” the CAESS researchers wrote.
Another daunting conclusion that presents complications for crash investigators: The researchers successfully attacked the car’s telematics unit in a way that “will completely erase any evidence of its presence after a crash.”
Since the studies were completed, in 2010 and 2011, much has changed, and not necessarily for the better.
Wireless multiplies potential risks
Automakers are now wirelessly updating software. Customers can use services like OnStar’s RemoteLink to unlock their doors and monitor their cars on their iPhones. Researchers are beginning to connect cars both with one another and through smart infrastructure that will help govern self-driving cars. All these wireless transactions multiply risk.
Along those lines, the NHTSA recently opened a special division dedicated to automotive cybersecurity threats. The Electronic Systems Safety Research Division employs 12 people with engineering and software backgrounds and investigates “cyber vulnerability” that presents “emerging challenges for auto safety,” according to NHTSA.
But several congressmen questioned whether NHTSA had the necessary expertise to handle such an assignment, noting the agency needed to seek outside assistance from NASA there years ago during its investigation of Toyota’s unintended acceleration accidents.
During the commerce committee hearing on May 15, NHTSA administrator David Strickland told the congressmen he was satisfied with the staff on hand – he intends to add more – and, seeking to reassure the committee, said he understood “we don’t want to be behind the eight ball on this.”
Ignoring the CAESS study, Strickland said, “What we do know, at this point right now, is there has never been an unauthorized accessing of a vehicle currently on the road today.”
But especially as vehicle-to-vehicle and vehicle-to-infrastructure technology develop, cyber threats will be a major concern for the auto industry in the years ahead and are already a key part of their design process.
Automakers already investing in cybersecurity. Ford, for example, utilizes a “threat modeling methodology” to review potential weak links, has a built-in firewall to separate infotainment and vehicle control systems and uses key cryptography to prohibit updates to its SYNC software unless it receives a unique code that’s verified from Ford.
Lee, the Wisconsin professor, is skeptical that those kinds of methods will work.
“I know the industry is attentive to this, but just like computers these days – and your car is a computer – you have some documented cases where companies that have very good attention to security can be compromised,” Lee said.
“They are striving to overcome the hackers, and the hackers are striving to overcome the obstacles,” he said. “It’s an arms race.”
Pete Bigelow is an associate editor at AOL Autos. He can be reached via email at firstname.lastname@example.org and followed @PeterCBigelow.