I was skeptical. I’d seen videos on YouTube where young hackers pry the dashboard off a Prius, hardwire a laptop to the OBD II sensor and then gleefully take control of the car. They honk the horn. They make the speedometer display 199 mph 320 km/h). They jerk the steering wheel, laughing at the helpless driver as they clack away on their laptop keyboards while sitting in the back seat.
I thought, “So what?” If that’s what it takes to hack into a car, this doesn’t impress me at all.
But that was a couple of years ago. Today, hackers can do a lot more. In fact, they’ve identified six ways to wirelessly hack into a car, including the tire pressure monitor and keyless entry systems. Some of these methods require a hacker to be close to a car, but others can be done from anywhere.
As one counter-hacker told me, “Once you’re on the CAN bus, you’re in.” That’s the Controller Area Network, the central nervous system of every modern vehicle. And there are plenty of ways you get onto the CAN.
Check out an excellent research paper on this topic, “Comprehensive Experimental Analyses of Automotive Attack Surfaces” from the University of California, San Diego and the University of Washington. There also are a series of excellent videos on YouTube titled “Phreaked Out” produced by the online magazine Motherboard. These will open your eyes.
Cybersecurity experts paint nightmarish scenarios that we could face in the future. Imagine a car-theft service that sells GPS coordinates and VINs to car thieves. “I’m looking for late-model BMWs or Audis within a half-mile of 4th and Broadway,” a thief may inquire. “Do you have anything for me?” The thief would be supplied with the year, make and model of nearby cars, shown exactly where they are, let him choose which one he wants and then unlock the doors, start the engine and disengage the shift-lock mechanism – all with a couple of keystrokes.
Or why not listen to private conversations by hacking into the in-cabin microphone? Anyone who pairs their phone to their car via Bluetooth is vulnerable. Snooping on what people are saying in their cars could prove enticing to corporate spies, private investigators and even paparazzi.
By attacking dealerships and service centers, perhaps by compromising an employee’s laptop, hackers could install malicious software on lots of cars. And those cars could be used to compromise other dealerships and service centers. A Trojan horse then could be activated by an “environmental trigger” such as a day and time, a car’s speed or even its GPS location. Think massive mayhem.
One particularly concerning hack involves corrupting a song file, using social media to entice people to download and play it in their car, and using that to get on the CAN bus. A CD or thumb drive with that song could be just as effective.
Cyber experts tell me there are essentially three types of hackers:
- Kids and “hobbyists.” These people do it for fun, I’m told. “They’re generally not malicious. They’re the types who like to break into a bank’s system and then text the bank president bragging that they broke in.
- Thieves. This is the main threat seen for cars.
- Terrorists. Unfortunately, there may not be any foolproof ways to stop them.
Right now, hacking into a car is not easy. It’s time-consuming and expensive. It involves a lot of reverse engineering of software systems in a car. But as cybercriminals share their knowledge and methods, those costs will come down and it will become easier.
Up to now, automakers have done nothing to harden their cars against hackers. Who could anticipate this would be a problem? Certainly not the engineers who designed the first CAN bus networks back in the late 1980s.
Today, that’s changing. Cybersecurity now is a top-of-the-list priority for automakers and suppliers. The advent of connected and autonomous cars makes this even more imperative. Happily it looks like there might even be some simple, low-cost software solutions.
What a world we live in. Updating your cyber security software may become as routine as getting an oil change or a tune-up. But there’s no question it will have to be done. Vehicles definitely are vulnerable.
John McElroy is editorial director of Blue Sky Productions and producer of the “Autoline” PBS television show and “Autoline Daily,” the online video newscast.