These days, new vehicles come with computer chips, software, and a host of connected technologies, such as digital instrument clusters and infotainment systems offering 3-D street views.
Connected cars expose some owners to car hacking, through which outside sources could tamper with keyless entry, the radio, or even the car’s driving system.
Although car hacking is a relatively new phenomenon, modern vehicles have been vulnerable to mischief ever since the federal government mandated that all new cars come equipped with an on-board diagnostics port, better known as an OBD-II, beginning in 1996.
Used chiefly by car dealerships and service centres to access a car’s controller area network (CAN) and each of its electronic control units (ECUs), OBD-IIs are not vulnerable to exterior hacking, yet are susceptible to anyone who gains access to a vehicle, such as a valet, mechanic or even a spurned lover.
>See also: How driverless cars can and will be hacked
If this individual has an inclination to do harm, the OBD-II provides a channel for uploading malicious code.
You should consider the CAN as the router for connecting all the ECUs in your car. Manufacturers began installing ECUs as far back as the 1970s, utilising them initially to control emissions and improve fuel mileage.
Today’s cars have anywhere from 50 to 100 ECUs, individually tasked with managing such features as the engine throttle, safety equipment, power accessories, the brakes, and the accelerator.
Hack the CAN and you can control each ECU. Fortunately, interior hacking is not a news item, except under controlled conditions, as we shall soon see.
Hackers make the news
What is newsworthy are the major exploits hackers have successfully attempted and shared publicly.
The car hacking news receiving the most attention followed the 2015 Black Hat Security Conference, where a Wired magazine reporter, Andy Greenberg, told the story about how he drove a Jeep Cherokee exploited by a pair of hackers, Charlie Miller and Chris Valasek. (It was part of a planned experiment, and he knew that they would take command of the SUV while he was driving it.)
Initially, the hackers took over the car’s climate control system, sending frigid air through the vents. Next, they switched the radio station and blasted the volume.
For the third exploit, the duo activated the wipers and sprayed the windshield with fluid. With each hack, Greenberg was unable to contravene the commands.
Every exploit was initiated from a laptop ten miles from the Jeep. Valasek and Miller assured Greenberg ahead of time that his safety would not be compromised, but the reporter’s confidence was quickly eroded when they cut power to the transmission and deactivated the accelerator.
At one point the hackers cut the Jeep’s brakes and the reporter kept pumping the brake pedal to no avail as the SUV slowly slid into a ditch.
The Jeep-in-the-ditch photo accompanied nearly every news story that followed, putting an exclamation point on all things car hacking.
Meanwhile, not everyone is convinced the Wired story paints an accurate picture of car hacking. Indeed, seven months after the original article was published, a response by technology writer David Pogue published by Scientific American refuted the narrative.
Pogue noted that the Jeep Cherokee belonged to the hackers who spent more than a year learning how to hack it. That means they needed physical access to the Jeep to exploit it. Another important tidbit missed by many as they shared Greenberg’s experience is that the kind of hacks attempted requires a car to have cellular Internet service.
Importantly, no hacker has ever taken remote control of a stranger’s vehicle. And Pogue contends that it would take “teams working full-time to find a way to do it”. Still, less extreme cases of hacking are causing havoc for some car owners, such as hackers finding a way to gain access to keyless entry systems.
But will future cars be more vulnerable to hacking as internet connectivity goes mainstream? Yes, that is possible.
Consequently, car manufacturers are taking a leadership role here by designing secure systems from the onset and by keeping vehicles’ control circuits separate from the internet circuits. Besides, whatever weaknesses were identified during the Wired hacking stunt have since been fixed by the manufacturer.
The FBI and NHTSA issued a joint warning about the “increasing vulnerability” of car hacking not a month after the Scientific American rebuttal. Specifically, the warning points out the risk of what might “happen when a hacker gains access to a vehicle system, giving him or her access to driver data or the ability to manipulate vehicle functionality”.
The agencies caution drivers and provide steps they can take to prevent this vulnerability – things tech-savvy people already know full well: never open suspicious email or click on a link that could lead to you uploading malicious software to the vehicle, keep your vehicle software up-to-date, use caution when making modifications to vehicle software, be careful when connecting third-party devices to your vehicle, and maintain awareness of who has access to your vehicle.
For now, this is good advice to heed, and unless another exploit is successfully launched remotely hijacking a vehicle’s control system, we can take these solid steps to keep our cars safe. And instead of worrying about an unlikely scenario unfolding, you can look forward to more autonomous features taking hold and the eventuality of your first driverless ride.