Tag Archives: Car Safety

Report: Automakers are leaving vehicles vulnerable to hackers


Nearly all new cars on the market include wireless technology that make drivers vulnerable to hacking or an invasion of privacy, new report says.


As we make our way down the road to a more connected future, automakers are continuing to embed a wide-range of wireless technologies into the cars of tomorrow. And sure, these smarter vehicles usher in a whole new era of improved safety, better performance and smartphone integration right into your dashboard; however, according to a new report released by Senator Edward Markey (D-Mass.), they may be failing to protect those features against the possibility that hackers could take control of vehicles or steal personal data.

Car Header

“The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent,” Sen. Markey writes.

The senator’s office sent out a questionnaire to 20 automakers more than 14 months ago to compile the report, examining them on their cars’ and trucks’ security and privacy measures. Out of the batch, 16 responded. The results revealed that nearly all modern vehicles have some sort of wireless connection that could potentially be hacked to remotely access their critical systems. In fact, most automobile manufacturers were unaware of or unable to report on past hacking incidents. Only two of the companies were able to describe any capabilities in place to diagnose and thwart malicious hackers in real-time, while another pair confirmed they could also remotely slow down or stop a vehicle under the control of a cyber criminal.

Car Art 2

Companies’ efforts to safeguard connections are “inconsistent and haphazard” across the industry, the study says. And in addition to security weaknesses, Markey’s survey found that many carmakers aside from the mere threat of a hacker gaining control of a steering wheel or gas pedal, manufacturers are constantly gathering information about their drivers. What’s more, the politician pointed out that a majority collect and wirelessly transmit driving history to data centers, yet most do not describe effective means to secure the data itself.

“These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information,” the published document emphasizes.

At the same time, just about all new cars on the market today are equipped with at least some wireless entry points to computers, such as tire pressure monitoring systems, Bluetooth, keyless entry, remote start, navigation, Wi-Fi, cellular/telematics, radio, and anti-theft systems.

“Auto engineers incorporate security solutions into vehicles from the very first stages of design and production—and security testing never stops,” Sen. Markey explains. “The industry is in the early stages of establishing a voluntary automobile industry sector information sharing and analysis center—or other comparable program—for collecting and sharing information about existing or potential cyber-related threats.  But even as we explore ways to advance this type of industrywide effort, our members already are each taking on their own aggressive efforts to ensure that we are advancing safety.”

Car Art

The findings were released after a recent 60 Minutes segment detailing how DARPA was able to hack General Motors’ OnStar system to remote control a Chevrolet Impala, including its brake and acceleration systems. The study follows in the footsteps of other publications as well, which showcase various ways that attackers have exploited luxury cars’ in-vehicle systems and used that flaw to send a command to its electronic control unit. (For those wondering as to what exactly hackers can do to your vehicle, head over to this piece from ABC News.)

“We now need a rating system for security, for safety, for that vehicle from it being hacked by an outsider that could cause an accident, cause real danger to a family,” Sen. Markey concluded.

With up to a hundred million lines of code, at least 30 MCU-controlled devices — and some with as many as 100 — the vehicle is the ideal application to bring smart, connected devices in the era of the Internet of Things. It’s clearer than ever before that automotive technology is quickly becoming an integral part of the digital lifestyle as consumers want to bring their mobile devices seamlessly into their mobiles; however, it’s never been more paramount to ensure that hardware-based security solutions are in place to keep drivers protected behind the wheel and cars safeguarded under the hood.

Interested in reading more? You can find the entire report here.

Hacker group sets out to improve vehicle security

Forget about car jacking, car hacking is now at the center of all the buzz. A grassroots security movement called “I am the Cavalry” recently introduced a cyber safety program to facilitate collaboration between researchers and car makers as vehicles become increasingly connected. Last Friday, the group presented an open letter to the heads of today’s leading automotive companies challenging them to acknowledge growing cybersecurity concerns that impact vehicle safety. In a detailed description of its “Five Star Automotive Cyber Safety Program,” I am The Cavalry outlined five critical capabilities that participating companies should demonstrate within their organization to improve security:

  1. Safety by DesignVALUE: We take public safety seriously in our design, development, and testing.

    PROOF: As such, we have published an attestation of our secure software development lifecycle, summarizing our design, development, and adversarial resilience testing programs for our products and our supply chain.

  2. Third-Party CollaborationVALUE: We recognize that our programs will not find all flaws.

    PROOF: As such, we have a published coordinated disclosure policy inviting the assistance of third-party researchers acting in good faith.

  3. Evidence CaptureVALUE: We want to learn from failures and enable continuous improvement. PROOF: As such, our systems provide tamper evident, forensically sound logging and evidence capture to facilitate safety investigations.
  4. Security UpdatesVALUE: We recognize the need to address newly discovered safety issues.

    PROOF: As such, our systems can be securely updated in a prompt and agile manner.

  5. Segmentation & IsolationVALUE: We believe a compromise of non-critical systems (like entertainment) should never adversely affect critical/physical systems (like braking).

    PROOF: As such, we have published an attestation of the physical/logical isolation and layered defense measures we have implemented

car-hacked-brakes-deactivated-970x0

“Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it. Security researchers have demonstrated vulnerability to accidents and adversaries over more than a decade,” the group writes on its website.

It appears that some have grown tired of the same-old hacking of computers, email, websites and networks, and have elected to try a moving target instead; subsequently, with the emergence of connected vehicles comes numerous car hacking opportunities.

In its open letter, I am The Cavalry referenced vehicle-to-vehicle (V2V) communication, automated traffic flow, remote control functions and driverless cars as just some of the evolving technologies making their way to the public. “We don’t need to wait for bad things [to happen] before starting to take safety into our design [considerations]. It takes a very long time to develop technologies and get them in the market. What we start today may not manifest for several years,” Joshua Corman, I am The Cavalry Co-Founder and CTO of Sonatype, told SCMagazine

(Source: Seth Rosenblatt/CNET)

(Source: Seth Rosenblatt/CNET)

Change.org petition has also been set up, encouraging the car industry to urgently address security concerns. “When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles.”

670px-tesla_1

“The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.”

Researchers have revealed that high-end cars have several computers to control brakes, acceleration, cruise control and self-parking. As a result, attackers have to find a way to exploit a system and then use that vulnerability to send a command to the electronic control unit. These flaws are a problem because it’s hard to patch a car. As VentureBeat notes, “Tesla has a lot of security in place, and it also has a vulnerability disclosure system. Most car makers seem unprepared for hackers because they’re not yet used to the idea of hackable electronic systems. The tire pressure monitoring system, for instance, is hackable. But the risks related to it are small.” As car makers add more computing power and communications to their cars, they become bigger targets. Tesla vehicles rely heavily on sophisticated software and electronics. Founder Elon Musk has even offered a $10,000 reward for a successful hacking of the Tesla Model S vehicle.

A study released at Black Hat 2014 by security researchers Chris Valasek and Charlie Miller also explored the “hackability” of 24 different car models. Among the “most hackable” include 2014 Jeep Cherokee, 2015 Cadillac Escalade and 2014 Infiniti Q50) while some of the notable “least hackable” include 2014 Dodge/SRT Viper, 2014 Audi A8, and 2014 Honda Accord.