With the increase in wifi in automobiles, coupled with onboard computing and
tracking diagnostic capabilities, there has been a lot in the news lately about hackers wirelessly hacking cars. But how likely is it that your vehicle could be hacked?
As is so often the case with news “reporting” on these sorts of things, there are some, such as ’60 Minutes’, who are crying that the sky is falling, while there are others, such as Forbes, who downplay it as much ado about nothing. And, as one might expect, the reality is somewhere in the middle, although because at this point it’s somewhere between the “pure conjecture” and “proof of concept” stage, it’s really difficult to say how much of a threat it is to those living in the real world. But it’s definitely a real possibility.
The reason that it is in the news right now is because Senator Edward Markey, of Massachusetts, just released a report on Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk.
As the report explains, “New technologies in cars have enabled valuable features that have the potential to improve driver safety and vehicle performance. Along with these benefits, vehicles are becoming more connected through electronic systems like navigation, infotainment, and safety monitoring tools.”
However, the report goes on to say, “The proliferation of these technologies raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent.”
So, Senator Markey (or more likely his staff) sent letters to 20 car makers, asking for information on what technology is onboard their automobiles, what security is onboard to protect the technology against hacking, and also what personal information (about the owner/driver) is collected.
In all, letters were sent to Aston Martin, BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Lamborghini, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Tesla, Toyota, Volkswagen/Audi, and Volvo.
All but three of the automobile manufacturers responded to Senator Markey’s request. The three that did not respond were Aston Martin, Lamborghini, and Tesla.
Sen. Markey’s report says that the responses from the auto manufacturers demonstrate that, among other things, “Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy,” and that “security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.”
Perhaps most concerning, and relevant to the buzz about “your car being hackable” going on right now, are the findings that “A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data,” coupled with “Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.”
In the executive summary to the report, Sen. Markey concludes that “These findings reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”
Clearly Doug Newcomb, of Forbes, is in the ‘much ado about nothing’ camp, railing against “the supposed vulnerabilities of connected vehicles” in a piece entitled Congress, ’60 Minutes’ Exaggerate Threat Of Car Hacking, and accusing 60 Minutes of “scare tactics”.
However, was 60 Minutes’ display of reporter Lesley Stahl, ‘trapped’ in a car that she couldn’t stop, while the wipers and horn were activated (and the brakes deactivated) by someone with a laptop, really “scare tactics”? Or proof of concept?
As Newcomb notes in his piece, there has been only one reported malicious hacking of a car (and that an ‘inside job’). But, let us repeat, there has been a reported hack attack on a car.
Newcomb, and experts he cites, say that hackers are not as likely to focus on hacking cars as they are, say, banks, because there is not as much profit to be made.
We think that overlooks what should be an obvious point: while the personal data garnered from hacking cars may not be as profitable, there is a whole lot of money to be made by ensuring that someone’s brakes fail at the right time.
Plus, not only is it now fairly easy for a hacker to hack your remote door locks, but there is even software available online that will do it for you. And OpenGarages.org offers the Car Hacker’s Handbook for free, or via Amazon.
Of course, sometimes car manufacturers inadvertantly make it even easier, such as the revelation last week that BMW’s ConnectedDrive had a security hole allowing for remote unlocking by others, which affected 2million BMWs.
In fact, a few years ago it was revealed that you could program a cell phone to open your remote car door locks. True, that would require the hacker to have access to your keyfob for a few minutes, but the point remains that hacking a car is not as unlikely as some would have you believe (while also not as likely as others would).
So, the point is: yes, it’s entirely possible. Is it probable? It really depends.
And if you are curious about the hackability of your own vehicle, Wired Magazine has helpfully published this handy chart of how hackable various cars are.
|Get notified of new Internet Patrol articles!