New car tech has security vulnerabilities – are we safe from hackers or governments?

Ahead of tomorrows DEFCON conference is tomorrow there’s been several announcements of car security vulnerabilities.  I’ve long suspected these vulnerabilities would exist as more infotainment and communications capabilities are built into new cars.  Projecting into the future we should expect more of these vulnerabilities, and that the Government (NSA, etc) will want to have access to these systems to track our movements or even maintain remote control of our cars.

The trend is clear that advanced technology being added to cars is a huge security risk, not just from malicious hackers but the kind of government snoops that are tracking everything we do with cell phones, or our activities in social media sites like Facebook.

The news started in July with a Wired “stunt journalism” article informing us that Chrysler’s JEEP’s are very vulnerable to remote hacking.  This featured a pair of “security researchers” who figured out how to locate any JEEP via the wireless service, and a vulnerability in the infotainment system with which they can remotely control almost every aspect of the car.  This includes turning off the engine, controlling speed and braking, and more.

It’s very scary stuff, and the researchers worked with Chrysler/Fiat to ensure they had a fix ready to roll once it was revealed.   That sounds like Fiat/Chrysler was acting responsibly, fixing known problems rather than sweeping them under the rug.  However, yesterday Bloomberg News reported that Chrysler/Fiat may be in trouble with regulators because they didn’t disclose the vulnerability for 18 months.

There’s a tendency for manufacturers to try and sweep problems under the rug – because going through with fixing problems is more expensive.  The default behavior, to ignore problems, means critical vulnerabilities would go unaddressed unless they somehow become public.  In this case Fiat/Chrysler claims they were actively working on fixing the problem, and didn’t deem it a serious risk.

The JEEP vulnerability isn’t the only known one.  Today news broke through CNN Money that other security researchers have identified several vulnerabilities in the Tesla Model S.

In this case the vulnerability requires physical access to the car.  Using the vulnerability, attackers can remotely unlock the car, control speed, etc.  Tesla Motors was informed of the problems, and is rolling out an over-the-air update.

It’s not just remote control – another Wired article describes a gizmo with which an attacker can snoop on radio signals between car and wireless key fob, then mimic the keyfob to allow a thief to break into the car later.

In other recent news, VW announced they were rolling out advanced technology features in their whole 2016 product line, including the Audi A3 Sportback e-tron.  VW, like the other automakers, are in a race to add in advanced technology and autonomous driving features to make cars more attractive in the smart phone era.

The trend is clear that car companies are going to keep advancing the technology built into cars.  They see a huge market in self-driving autonomous cars (see the links below) and other technology.

Earlier I said this is a big risk.  As a software engineer who worked in software quality engineering let me say something — every piece of software has bugs in it.  Software testing is never finished, only exhausted – meaning that all software manufacturers ship with known bugs.  They make a decision to go ahead and ship by ranking the known bugs with priority, and deciding it’s “okay” to do so if the known bugs are not serious.

In other words – cars are becoming mobile computers increasingly driven entirely by software.  That was fine so long as the only interface to on-board software was through inscrutable interfaces like the OBD-II port.  But now cars have cellular data connections, allowing remote access into the cars.

It’s especially true for electric cars which must support remote access so the car owner can monitor charging progress.

But what about the government snoops?  Think of all the revelations concerning NSA wiretapping and information collection.  They’re running an extensive and probably illegal system of collecting pretty much all information under the guise of finding terrorists or something.

It started well before the Obama Administration – the GW Bush administration launched what was called the Total Information Awareness system in 2001, renaming it to the Terrorist Information Awareness system following the September 11 attacks.  That system sought to track a huge variety of information like credit card activities, looking for patterns of dangerous activity.  Since then repeated revelations have made it clear that government snoops have been expanding their information gathering efforts.  We should assume everything we do with our cell phones is tracked by government agencies.

With that level of data gathering, wouldn’t the same government snoops want information about what we do with our cars?

And wouldn’t governments want the ability to remotely control cars?  For example, it’s known that high speed police chases are dangerous and can easily result in death or injury of innocent bystanders, police officers, or the suspects being pursued.  Therefore, police agencies want the option to remotely shut down car engines to cut the chase short.

A few days ago, California Highway Patrol officers in Southern California got OnStar assistance to shut down a Chevy Spark they were chasing.  On police request OnStar activated the “stolen car slowdown feature” which forced the car to a maximum 5 miles/hr speed, allowing CHP officers to stop the car and arrest the occupants.  The feature has been in OnStar-equipped cars for 18 years, is used about five times a month and has been used to recover 60,000+ vehicles.

While you can find positive useful instances, like this one, of remote remote control.  But – there is clearly the opportunity for misuse.

About David Herron

David Herron is a writer and software engineer living in Silicon Valley. He primarily writes about electric vehicles, clean energy systems, climate change, peak oil and related issues. When not writing he indulges in software projects and is sometimes employed as a software engineer. David has written for sites like PlugInCars and TorqueNews, and worked for companies like Sun Microsystems and Yahoo.

About David Herron

David Herron is a writer and software engineer living in Silicon Valley. He primarily writes about electric vehicles, clean energy systems, climate change, peak oil and related issues. When not writing he indulges in software projects and is sometimes employed as a software engineer. David has written for sites like PlugInCars and TorqueNews, and worked for companies like Sun Microsystems and Yahoo.

Leave a Reply