Cybersecurity holes in connected cars leave doors unlocked for hackers
Consumers must demand security and protection standards for the Internet of Things
By Roger Yu, ThirdCertainty
The photo was jarring. A Jeep Cherokee stalled in a ditch after hackers remotely disabled its brakes.
No one was hurt.
The experiment in St. Louis last year was a coordinated hack designed and carried out by Charlie Miller and Chris Valasek, security researchers at Uber’s Pittsburgh-based Advanced Technologies Center.
Miller and Valasek sought to prove a point that the emerging technology of connected—and pretty soon, autopilot—cars are full of holes when it comes to cybersecurity. They’ve been presenting their findings at conferences and events ever since, including at IDT911’s Privacy XChange Forum 2016 in Scottsdale, Arizona, in October. (Full disclosure: IDT911 sponsors ThirdCertainty.com.)
Related video: Risks rise as the Internet of Things expands
Connected vehicles promise safer and more efficient driving experience. But Miller and Valasek’s car-hacking experiments partly prompted the Federal Bureau of Investigation, with the National Highway Traffic Safety Administration, to go public in March with a consumer warning about the possibility of an attacker remotely exploiting vulnerabilities.
And cybersecurity issues have come to the forefront in discussions about the pitfalls of the Internet of Things as the technology rapidly evolves. A couple of well-chronicled incidents, including the Jeep, have ratcheted up consumers’ anxiety over the possible erosion of control over their cars.
The fallout from the Jeep hack, wherein the security experts gained control of the car through its entertainment system, Uconnect, was swift. Chrysler, who owns the Jeep brand, recalled 1.4 million cars to fix the software bug. And Sprint, whose network was used in Uconnect, blocked access to a specific port for the private IP addresses used to communicate with the vehicles.
Meanwhile, U.S. Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced a bill designed to require U.S. cars to meet certain standards of protection against digital attacks and privacy. “In the rush to roll out the next big thing, automakers have left the doors unlocked to would-be cyber criminals,” Blumenthal said.
Art Dahnert, managing consultant at digital security firm Cigital, acknowledges the emerging problem but isn’t overly alarmed. Unless professionally coordinated, the current level of vehicle hacking generally requires close proximity to the car, he says. “A lot of it is hype,” he says. “Some of the issues may not affect a lot of consumers.”
Still, consumers who own connected vehicles—and most new cars are—should be aware of relevant security risks and developments, he says. Here are some issues to consider.
• Owner education. Understanding how a vehicle and some components are connected to the internet is crucial. Cars contain numerous electronic units that control a wide range of functions, ranging from steering and braking to in-car Wi-Fi and diagnostics. These computers are networked and expose possible entry points for hackers.
In-car Wi-Fi can be spoofed or accessed by hackers in nearby locations. And GPS, Bluetooth and smartphones can serve as conduits for hackers wishing to tap into the car’s control system. “If an app that manages your sound system is compromised, your phone is compromised,” Dahnert says.
• Updating software. Software bugs are inevitable. And vehicle owners should be vigilant in keeping up with updates, recalls and service bulletins. Criminals also may exploit update notices by sending fraudulent email that contains malicious software. Avoid downloading software from third-party websites or file-sharing platforms.
• Limit in-car use. Some digital bells and whistles are better left turned off whenever possible. “I would recommend that drivers learn how to disable some of the less used features of the vehicle, especially those that involve remote communications like Wi-Fi hotspots and remote starting,” Dahnert says. “These steps reduce the footholds that attackers use to hack your car.”
• Beware of third-party accessories. More third-party devices, such as insurance dongles, car monitoring tools and other telematics, can be plugged into the vehicle’s diagnostic port and become access points for hackers. Car owners should check with the security and privacy policies of device manufacturers and look to avoid them if they are from obscure companies or deemed untrustworthy.
Some accessories also may be problematic. In August, researchers at the University of Birmingham in the U.K. used a piece of radio hardware to intercept signals from a key fob used in Volkswagens. The signals can be replicated to open the doors of millions of Volkswagens dating back to 1995, the researchers claim. “Don’t forget that it’s not just what’s under the sheet-metal, but what is in your pocket that could lead to a problem,” Dahnert says.
• Pitfalls of modification. Avid car owners are notorious for their love of modification, using after-market parts. Those who modify their electronic control units or wireless connections to enhance their cars’ performance could be inviting cybersecurity problems. “Such modifications may also impact the way in which authorized software updates can be installed on the vehicle,” the FBI says.
• Supplier concerns. The advent of autopilot cars and driver-assist systems will muddle the already complex ecosystem of car manufacturers and suppliers. Heightened security standards and practices within the connected car supplier ecosystem would be needed as technology evolves, Dahnert says.
Ultimately, consumers have little direct control over the manufacturing and development of the Internet of Things in cars. But they can affect the industry with their checkbooks. “Consumers need to demand (security features) are updated. Don’t buy products that are not secured,” Dahnert says.
More stories related to security and the Internet of Things:
Data security even more critical as Internet of Things multiplies, morphs
Security must be part of device design as Internet of Things evolves
Securing the Internet of Things: ‘Side channel attacks’ expose sensitive data collected by IoT devices