Ahead of tomorrows DEFCON conference is tomorrow there’s been several announcements of car security vulnerabilities. I’ve long suspected these vulnerabilities would exist as more infotainment and communications capabilities are built into new cars. Projecting into the future we should expect more of these vulnerabilities, and that the Government (NSA, etc) will want to have access to these systems to track our movements or even maintain remote control of our cars.
The trend is clear that advanced technology being added to cars is a huge security risk, not just from malicious hackers but the kind of government snoops that are tracking everything we do with cell phones, or our activities in social media sites like Facebook.
The news started in July with a Wired “stunt journalism” article informing us that Chrysler’s JEEP’s are very vulnerable to remote hacking. This featured a pair of “security researchers” who figured out how to locate any JEEP via the wireless service, and a vulnerability in the infotainment system with which they can remotely control almost every aspect of the car. This includes turning off the engine, controlling speed and braking, and more.
It’s very scary stuff, and the researchers worked with Chrysler/Fiat to ensure they had a fix ready to roll once it was revealed. That sounds like Fiat/Chrysler was acting responsibly, fixing known problems rather than sweeping them under the rug. However, yesterday Bloomberg News reported that Chrysler/Fiat may be in trouble with regulators because they didn’t disclose the vulnerability for 18 months.
There’s a tendency for manufacturers to try and sweep problems under the rug – because going through with fixing problems is more expensive. The default behavior, to ignore problems, means critical vulnerabilities would go unaddressed unless they somehow become public. In this case Fiat/Chrysler claims they were actively working on fixing the problem, and didn’t deem it a serious risk.
The JEEP vulnerability isn’t the only known one. Today news broke through CNN Money that other security researchers have identified several vulnerabilities in the Tesla Model S.
In this case the vulnerability requires physical access to the car. Using the vulnerability, attackers can remotely unlock the car, control speed, etc. Tesla Motors was informed of the problems, and is rolling out an over-the-air update.
It’s not just remote control – another Wired article describes a gizmo with which an attacker can snoop on radio signals between car and wireless key fob, then mimic the keyfob to allow a thief to break into the car later.
In other recent news, VW announced they were rolling out advanced technology features in their whole 2016 product line, including the Audi A3 Sportback e-tron. VW, like the other automakers, are in a race to add in advanced technology and autonomous driving features to make cars more attractive in the smart phone era.
The trend is clear that car companies are going to keep advancing the technology built into cars. They see a huge market in self-driving autonomous cars (see the links below) and other technology.
Earlier I said this is a big risk. As a software engineer who worked in software quality engineering let me say something — every piece of software has bugs in it. Software testing is never finished, only exhausted – meaning that all software manufacturers ship with known bugs. They make a decision to go ahead and ship by ranking the known bugs with priority, and deciding it’s “okay” to do so if the known bugs are not serious.
In other words – cars are becoming mobile computers increasingly driven entirely by software. That was fine so long as the only interface to on-board software was through inscrutable interfaces like the OBD-II port. But now cars have cellular data connections, allowing remote access into the cars.
It’s especially true for electric cars which must support remote access so the car owner can monitor charging progress.
But what about the government snoops? Think of all the revelations concerning NSA wiretapping and information collection. They’re running an extensive and probably illegal system of collecting pretty much all information under the guise of finding terrorists or something.
It started well before the Obama Administration – the GW Bush administration launched what was called the Total Information Awareness system in 2001, renaming it to the Terrorist Information Awareness system following the September 11 attacks. That system sought to track a huge variety of information like credit card activities, looking for patterns of dangerous activity. Since then repeated revelations have made it clear that government snoops have been expanding their information gathering efforts. We should assume everything we do with our cell phones is tracked by government agencies.
With that level of data gathering, wouldn’t the same government snoops want information about what we do with our cars?
And wouldn’t governments want the ability to remotely control cars? For example, it’s known that high speed police chases are dangerous and can easily result in death or injury of innocent bystanders, police officers, or the suspects being pursued. Therefore, police agencies want the option to remotely shut down car engines to cut the chase short.
A few days ago, California Highway Patrol officers in Southern California got OnStar assistance to shut down a Chevy Spark they were chasing. On police request OnStar activated the “stolen car slowdown feature” which forced the car to a maximum 5 miles/hr speed, allowing CHP officers to stop the car and arrest the occupants. The feature has been in OnStar-equipped cars for 18 years, is used about five times a month and has been used to recover 60,000+ vehicles.
While you can find positive useful instances, like this one, of remote remote control. But – there is clearly the opportunity for misuse.
- Clinton claims, in leaked e-mails, anti-fracking groups funded by Putin (Russia) - October 12, 2016
- Dieselgate-like problem found in television sets by new NRDC report - September 22, 2016
- The 238 mile range Chevy Bolt is not a threat to Tesla Motors, Tesla is a threat to itself - September 14, 2016
- BMW, VW, ChargePoint claim to finish East/West charging corridors rings hollow - September 14, 2016
- Chinese Model S auto-pilot crash says we shouldn’t rely on autopilot mode, yet - September 14, 2016
- TI enabling smart EVSE’s by adding WiFi to charging station reference design - August 30, 2016
- Do we need a 500 mile range Tesla or other electric car? - August 27, 2016
- ChargePoint et al argues PG&E’s charging station plan is anti-competitive - August 10, 2016
- Solar Impulse demonstrates implementation of the clean energy paradigm we deserve - July 26, 2016
- Solar Impulse makes history as the first around-the-world solar-electric airplane flight, 40,000+ km with no fuel - July 25, 2016
- How will RoboCars work, and when will we have RoboCar's?
- RoboCar's could save our cities, according to Brad Templeton
- Will Self driving robocars really eliminate traffic jams, and individual car ownership?
- Tesla Motors looking to hire more autonomous driving expertise
- D is for Dual Drive, and in Tesla's world "Something Else" is for Auto Pilot but not autonomous driving
- Tesla Motors looking to hire autonomous vehicle radar system engineers ... hmmm...
- AAA warns automated driver assist don't mean safer cars, drivers still have to pay attention
- Nissan's zero-emissions zero-fatalaties pledge includes autonomous driving by 2020
- Tesla Motors confirms autonomous driving plans - calls for 90% solution rather than 100%
- Ford shows more automated driving technology at LA Auto Show