Ahead of tomorrows DEFCON conference is tomorrow there’s been several announcements of car security vulnerabilities. I’ve long suspected these vulnerabilities would exist as more infotainment and communications capabilities are built into new cars. Projecting into the future we should expect more of these vulnerabilities, and that the Government (NSA, etc) will want to have access to these systems to track our movements or even maintain remote control of our cars.
The trend is clear that advanced technology being added to cars is a huge security risk, not just from malicious hackers but the kind of government snoops that are tracking everything we do with cell phones, or our activities in social media sites like Facebook.
The news started in July with a Wired “stunt journalism” article informing us that Chrysler’s JEEP’s are very vulnerable to remote hacking. This featured a pair of “security researchers” who figured out how to locate any JEEP via the wireless service, and a vulnerability in the infotainment system with which they can remotely control almost every aspect of the car. This includes turning off the engine, controlling speed and braking, and more.
It’s very scary stuff, and the researchers worked with Chrysler/Fiat to ensure they had a fix ready to roll once it was revealed. That sounds like Fiat/Chrysler was acting responsibly, fixing known problems rather than sweeping them under the rug. However, yesterday Bloomberg News reported that Chrysler/Fiat may be in trouble with regulators because they didn’t disclose the vulnerability for 18 months.
There’s a tendency for manufacturers to try and sweep problems under the rug – because going through with fixing problems is more expensive. The default behavior, to ignore problems, means critical vulnerabilities would go unaddressed unless they somehow become public. In this case Fiat/Chrysler claims they were actively working on fixing the problem, and didn’t deem it a serious risk.
The JEEP vulnerability isn’t the only known one. Today news broke through CNN Money that other security researchers have identified several vulnerabilities in the Tesla Model S.
In this case the vulnerability requires physical access to the car. Using the vulnerability, attackers can remotely unlock the car, control speed, etc. Tesla Motors was informed of the problems, and is rolling out an over-the-air update.
It’s not just remote control – another Wired article describes a gizmo with which an attacker can snoop on radio signals between car and wireless key fob, then mimic the keyfob to allow a thief to break into the car later.
In other recent news, VW announced they were rolling out advanced technology features in their whole 2016 product line, including the Audi A3 Sportback e-tron. VW, like the other automakers, are in a race to add in advanced technology and autonomous driving features to make cars more attractive in the smart phone era.
The trend is clear that car companies are going to keep advancing the technology built into cars. They see a huge market in self-driving autonomous cars (see the links below) and other technology.
Earlier I said this is a big risk. As a software engineer who worked in software quality engineering let me say something — every piece of software has bugs in it. Software testing is never finished, only exhausted – meaning that all software manufacturers ship with known bugs. They make a decision to go ahead and ship by ranking the known bugs with priority, and deciding it’s “okay” to do so if the known bugs are not serious.
In other words – cars are becoming mobile computers increasingly driven entirely by software. That was fine so long as the only interface to on-board software was through inscrutable interfaces like the OBD-II port. But now cars have cellular data connections, allowing remote access into the cars.
It’s especially true for electric cars which must support remote access so the car owner can monitor charging progress.
But what about the government snoops? Think of all the revelations concerning NSA wiretapping and information collection. They’re running an extensive and probably illegal system of collecting pretty much all information under the guise of finding terrorists or something.
It started well before the Obama Administration – the GW Bush administration launched what was called the Total Information Awareness system in 2001, renaming it to the Terrorist Information Awareness system following the September 11 attacks. That system sought to track a huge variety of information like credit card activities, looking for patterns of dangerous activity. Since then repeated revelations have made it clear that government snoops have been expanding their information gathering efforts. We should assume everything we do with our cell phones is tracked by government agencies.
With that level of data gathering, wouldn’t the same government snoops want information about what we do with our cars?
And wouldn’t governments want the ability to remotely control cars? For example, it’s known that high speed police chases are dangerous and can easily result in death or injury of innocent bystanders, police officers, or the suspects being pursued. Therefore, police agencies want the option to remotely shut down car engines to cut the chase short.
A few days ago, California Highway Patrol officers in Southern California got OnStar assistance to shut down a Chevy Spark they were chasing. On police request OnStar activated the “stolen car slowdown feature” which forced the car to a maximum 5 miles/hr speed, allowing CHP officers to stop the car and arrest the occupants. The feature has been in OnStar-equipped cars for 18 years, is used about five times a month and has been used to recover 60,000+ vehicles.
While you can find positive useful instances, like this one, of remote remote control. But – there is clearly the opportunity for misuse.
- Romania Electric car sales grew 165% from 2017 to 2018 – state of EV adoption in Romania - October 23, 2018
- Google moving in on Plugshare’s turf, adds EV charging station data to Google Maps - October 17, 2018
- Cameron Rogers retakes Laguna Seca electric car laptime record with Tesla Model 3 Performance - September 16, 2018
- Tesla no longer a boutique car maker, is outselling major manufacturers like Porsche - September 13, 2018
- What electric car would I buy today, on the occasion of canceling a Tesla Model 3 order - September 11, 2018
- Lucid Motors definitively smashes Laguna Seca lap speed record with production-intent car - September 6, 2018
- Ford promises serious electric-drive intentions, teasing an Electric Mustang and more - September 6, 2018
- Jaguar i-Pace barely beats electric car lap record at Laguna Seca, set by a Tesla Model 3 at REFUEL 2018 - August 23, 2018
- Tesla CEO Elon Musk stands accused of believing his own press releases - August 18, 2018
- Trump Administration moves to cancel clean car standards, undoing Obama’s CAFE win - August 2, 2018