What we know about car hacking, the CIA and those WikiLeaks claims
The inwards track on Washington politics.
*Invalid email address
Tucked into WikiLeaks’ analysis of a trove of documents allegedly from the Central Intelligence Agency is a stunning line: That the agency has looked into hacking cars, which WikiLeaks asserts could be used to carry out “nearly undetectable assassinations.”
In making its claim, WikiLeaks links to meeting notes from two thousand fourteen listing “potential mission areas” for the CIA’s Embedded Devices Branch, which includes “Vehicle Systems” and “QNX.” The leaked documents, which The Washington Post could not independently verify and the CIA has declined to confirm, do not show up to suggest the vehicles be used for assassinations, and even WikiLeaks admits “the purpose of such control is not specified.”
The fear that your car can be hacked and made to crash is not fresh, and it’s not entirely unfounded. Concerns about automotive cyber security have been raised since automakers began outfitting cars and trucks with computer-controlled systems.
Those concerns have been compounded in latest years as an enhancing number of cars come tooled with connections, including satellite, Bluetooth and Internet, that experts say make them more vulnerable to hackers who can then build up access to the computerized systems without ever stepping foot near the actual vehicle.
Here is what we know about hacking into and remotely controlling cars:
Vehicles have been hacked before
In 2015, security researchers Charlie Miller and Chris Valasek hacked into a two thousand fourteen Jeep Cherokee and managed to “turn the steering wheel, shortly disable the brakes and shut down the engine,” the Post’s Craig Timberg reported. The pair found they could also access thousands of other vehicles that used a wireless entertainment and navigation system called Uconnect, which was common to Dodge, Jeep and Chrysler vehicles. The hack prompted Fiat Chrysler to recall 1.Four million vehicles.
“It doesn’t emerge that any manufacturers presently have detection/prevention methods for such attacks,” Valasek said via email Tuesday. “Remember, Charlie and I did all this research in our spare time with limited resources. ”
The Miller and Valasek hack is widely reported, but it wasn’t the very first or even most latest successful security breach. Researchers from the University of Washington and the University of California at San Diego published papers in two thousand ten and two thousand eleven demonstrating that vehicles could be compromised when hackers build up access, either in person or remotely.
Last year, researchers in Germany released a probe displaying they could unlock and embark twenty four different vehicles with wireless key fobs by taking control of the device remotely and amplifying its signal, Wired magazine reported. While the wireless key fob was still on the kitchen counter, hackers could be driving off with the car, researchers claimed.
Yoni Heilbronn, the vice president of marketing at Argus Cyber Security, an automotive security company, said: “The equation is very ordinary. If it’s a computer and it connects to the outside world, then it is hackable.”
Hackers could crash your car, but it’s unlikely
Perhaps the greatest car-hacking fear is the idea that someone could take control of your vehicle and drive it over a bridge or into a brick wall.
The WikiLeaks release even renewed suspicions about the death of journalist Michael Hastings, who was killed in a single-car accident in Los Angeles in 2013.
“You could envision doing all sorts of things, such as waiting until the car is going above a particular speed limit and then apply one of the brakes or steer [the wheel] in cars for which you can control the steering,” said Stephen Checkoway, an assistant computer science professor at the University of Illinois at Chicago.
That fear is not without merit. As Miller and Valasek demonstrated, hackers have compromised some of the vehicle’s most critical functions and safety features before.
But those hacks require time and technical know-how to execute, making an attack something a run-of-the-mill criminal is unlikely to carry out, said Sam Lauzon, a researcher and developer at the University of Michigan Transportation Research Institute. What’s more, automakers are increasingly isolating the computers that control the vehicle’s most sensitive systems, meaning they cannot be breached even if hackers tap into other technologies, such as the entertainment system, he said.
“The likelihood of someone driving you off the road while you’re driving down the freeway is very slender,” Lauzon said. “Very slender.”
The WikiLeaks CIA documents did not emerge to suggest details on how the agency intended to hack into vehicles.
Your entertainment system is most vulnerable
Also listed in the WikiLeaks document of “possible mission areas” is QNX, a popular operating system for in-car entertainment and navigation technologies. Since 2010, QNX has been possessed by the company now known as BlackBerry. The system has been used in more than fifty million vehicles that range from Audi to Ford to Maserati, according to the company.
“Providing the highest level of security has always been at the core of our mission,” a BlackBerry spokeswoman said in an email. The company added that its security research groups permanently monitor software for vulnerabilities that need to be stationary.
Lauzon speculates that hacking the operating system could permit the CIA to track a vehicle’s movements, listen to conversations, or monitor other data that passes through the system.
The entertainment system is typically one of the most vulnerable to attack because it’s so very connected to the outside world, both Lauzon and Heilbronn said. Connections to cellular networks, Bluetooth, WiFi, etc. often come through the system, permitting you to play music, take phone calls, look up directions or connect to other applications.
It’s hard to tell when a vehicle has been hacked
The “nearly undetectable” assertion in the WikiLeaks claim likely stems from the fact that it’s difficult to determine when a car has been hacked, experts say.
“Today, manufacturers indeed have no idea what’s going on,” Heilbronn said. “They have no idea if it’s been hacked or not.”
There is no mechanism to alert manufacturers when a car is behaving erratically or shows up to otherwise be compromised, Lauzon said. But technology companies and automakers alike have such technology under development.
“I haven’t seen one fitted on a vehicle at assembly time, but it’s something they’re looking into the feasibility of,” Lauzon said.
Automakers are aware of the problem
Today, Miller and Valasek work at ride-hailing company Uber. Auto manufacturers and transportation companies have scooped up a number of cyber experts in latest years, part of a concerted effort in the industry to build products with stronger security features.
Carlos Ghosn, the head of an alliance that includes Nissan, Mitsubishi and Renault, told a crowd in Washington last week that the employees building the alliance’s self-driving and connected car technologies are “surrounded by cybersecurity specialists who spend their time analyzing what could go wrong.”
“We take it very gravely because we know the end ticket to this technology is making sure that we’re going to reassure the regulator that you have a sufficient level of cybersecurity,” he said.
One of the challenges nagging automakers is how to update security software once it is installed in the vehicle. Cyber threats are always switching and upgrading a car’s security software through downloads — much as you would update the software on a smartphone — has only recently become feasible.
In 2015, auto industry players created the Automotive Information Sharing and Analysis Center to interchange information about cyber security threats and how to combat them. Then last October, the National Highway Traffic Safety Administration published a cyber security “best practices” guide for automakers with suggestions for building more secure vehicles.
Computers in cars are actually a truly good thing
Before you rush out to buy a dated vehicle to avoid the latest technology, it’s worth noting the benefits of driving computers on wheels.
Many modern safety features depend on computers and software to function, including anti-lock brakes, lane-assist technology and automatic crash notification. They also help under the rubber hood to make the engine more energy efficient and provide conveniences, such as the capability to make phone calls with both arms on the wheel, Checkoway said.
“That they have enable fresh attacks is worrying, but on balance computers have improved safety,” he said.
What you can do about cyber threats
The brief response is not much.
As Heilbronn points out, car security is not like picking out Norton or McAfee anti-virus software for your laptop. Automakers have to build cybersecurity protections and software into the vehicle before it ever hits the road, and proceed to update those programs as fresh threats emerge, he said.
“Today, the average customer doesn’t have any skill as to what should be installed,” Heilbronn said.
Lauzon does have one puny lump of advice: avoid installing your own onboard diagnostics, or OBDII, devices, which can monitor a car’s spectacle, provide Internet connections and other features. These devices can communicate with the vehicle’s internal systems but may rely on insecure wireless connections, he said.
What the WikiLeaks CIA files say about your car – The Washington Post
What we know about car hacking, the CIA and those WikiLeaks claims
The inwards track on Washington politics.
*Invalid email address
Tucked into WikiLeaks’ analysis of a trove of documents allegedly from the Central Intelligence Agency is a stunning line: That the agency has looked into hacking cars, which WikiLeaks asserts could be used to carry out “nearly undetectable assassinations.”
In making its claim, WikiLeaks links to meeting notes from two thousand fourteen listing “potential mission areas” for the CIA’s Embedded Devices Branch, which includes “Vehicle Systems” and “QNX.” The leaked documents, which The Washington Post could not independently verify and the CIA has declined to confirm, do not emerge to suggest the vehicles be used for assassinations, and even WikiLeaks admits “the purpose of such control is not specified.”
The fear that your car can be hacked and made to crash is not fresh, and it’s not entirely unfounded. Concerns about automotive cyber security have been raised since automakers began outfitting cars and trucks with computer-controlled systems.
Those concerns have been compounded in latest years as an enhancing number of cars come tooled with connections, including satellite, Bluetooth and Internet, that experts say make them more vulnerable to hackers who can then build up access to the computerized systems without ever stepping foot near the actual vehicle.
Here is what we know about hacking into and remotely controlling cars:
Vehicles have been hacked before
In 2015, security researchers Charlie Miller and Chris Valasek hacked into a two thousand fourteen Jeep Cherokee and managed to “turn the steering wheel, shortly disable the brakes and shut down the engine,” the Post’s Craig Timberg reported. The pair found they could also access thousands of other vehicles that used a wireless entertainment and navigation system called Uconnect, which was common to Dodge, Jeep and Chrysler vehicles. The hack prompted Fiat Chrysler to recall 1.Four million vehicles.
“It doesn’t show up that any manufacturers presently have detection/prevention methods for such attacks,” Valasek said via email Tuesday. “Remember, Charlie and I did all this research in our spare time with limited resources. ”
The Miller and Valasek hack is widely reported, but it wasn’t the very first or even most latest successful security breach. Researchers from the University of Washington and the University of California at San Diego published papers in two thousand ten and two thousand eleven demonstrating that vehicles could be compromised when hackers build up access, either in person or remotely.
Last year, researchers in Germany released a probe displaying they could unlock and embark twenty four different vehicles with wireless key fobs by taking control of the device remotely and amplifying its signal, Wired magazine reported. While the wireless key fob was still on the kitchen counter, hackers could be driving off with the car, researchers claimed.
Yoni Heilbronn, the vice president of marketing at Argus Cyber Security, an automotive security company, said: “The equation is very ordinary. If it’s a computer and it connects to the outside world, then it is hackable.”
Hackers could crash your car, but it’s unlikely
Perhaps the greatest car-hacking fear is the idea that someone could take control of your vehicle and drive it over a bridge or into a brick wall.
The WikiLeaks release even renewed suspicions about the death of journalist Michael Hastings, who was killed in a single-car accident in Los Angeles in 2013.
“You could envision doing all sorts of things, such as waiting until the car is going above a particular speed limit and then apply one of the brakes or steer [the wheel] in cars for which you can control the steering,” said Stephen Checkoway, an assistant computer science professor at the University of Illinois at Chicago.
That fear is not without merit. As Miller and Valasek demonstrated, hackers have compromised some of the vehicle’s most critical functions and safety features before.
But those hacks require time and technical know-how to execute, making an attack something a run-of-the-mill criminal is unlikely to carry out, said Sam Lauzon, a researcher and developer at the University of Michigan Transportation Research Institute. What’s more, automakers are increasingly isolating the computers that control the vehicle’s most sensitive systems, meaning they cannot be breached even if hackers tap into other technologies, such as the entertainment system, he said.
“The likelihood of someone driving you off the road while you’re driving down the freeway is very slender,” Lauzon said. “Very slender.”
The WikiLeaks CIA documents did not show up to suggest details on how the agency intended to hack into vehicles.
Your entertainment system is most vulnerable
Also listed in the WikiLeaks document of “possible mission areas” is QNX, a popular operating system for in-car entertainment and navigation technologies. Since 2010, QNX has been possessed by the company now known as BlackBerry. The system has been used in more than fifty million vehicles that range from Audi to Ford to Maserati, according to the company.
“Providing the highest level of security has always been at the core of our mission,” a BlackBerry spokeswoman said in an email. The company added that its security research groups permanently monitor software for vulnerabilities that need to be stationary.
Lauzon speculates that hacking the operating system could permit the CIA to track a vehicle’s movements, listen to conversations, or monitor other data that passes through the system.
The entertainment system is typically one of the most vulnerable to attack because it’s so very connected to the outside world, both Lauzon and Heilbronn said. Connections to cellular networks, Bluetooth, WiFi, etc. often come through the system, permitting you to play music, take phone calls, look up directions or connect to other applications.
It’s hard to tell when a vehicle has been hacked
The “nearly undetectable” assertion in the WikiLeaks claim likely stems from the fact that it’s difficult to determine when a car has been hacked, experts say.
“Today, manufacturers truly have no idea what’s going on,” Heilbronn said. “They have no idea if it’s been hacked or not.”
There is no mechanism to alert manufacturers when a car is behaving erratically or emerges to otherwise be compromised, Lauzon said. But technology companies and automakers alike have such technology under development.
“I haven’t seen one fitted on a vehicle at assembly time, but it’s something they’re looking into the feasibility of,” Lauzon said.
Automakers are aware of the problem
Today, Miller and Valasek work at ride-hailing company Uber. Auto manufacturers and transportation companies have scooped up a number of cyber experts in latest years, part of a concerted effort in the industry to build products with stronger security features.
Carlos Ghosn, the head of an alliance that includes Nissan, Mitsubishi and Renault, told a crowd in Washington last week that the employees building the alliance’s self-driving and connected car technologies are “surrounded by cybersecurity specialists who spend their time analyzing what could go wrong.”
“We take it very earnestly because we know the end ticket to this technology is making sure that we’re going to reassure the regulator that you have a sufficient level of cybersecurity,” he said.
One of the challenges nagging automakers is how to update security software once it is installed in the vehicle. Cyber threats are always switching and upgrading a car’s security software through downloads — much as you would update the software on a smartphone — has only recently become feasible.
In 2015, auto industry players created the Automotive Information Sharing and Analysis Center to interchange information about cyber security threats and how to combat them. Then last October, the National Highway Traffic Safety Administration published a cyber security “best practices” guide for automakers with suggestions for building more secure vehicles.
Computers in cars are actually a truly good thing
Before you rush out to buy a dated vehicle to avoid the latest technology, it’s worth noting the benefits of driving computers on wheels.
Many modern safety features depend on computers and software to function, including anti-lock brakes, lane-assist technology and automatic crash notification. They also help under the spandex hood to make the engine more energy efficient and provide conveniences, such as the capability to make phone calls with both mitts on the wheel, Checkoway said.
“That they have enable fresh attacks is worrying, but on balance computers have improved safety,” he said.
What you can do about cyber threats
The brief reaction is not much.
As Heilbronn points out, car security is not like picking out Norton or McAfee anti-virus software for your laptop. Automakers have to build cybersecurity protections and software into the vehicle before it ever hits the road, and proceed to update those programs as fresh threats emerge, he said.
“Today, the average customer doesn’t have any skill as to what should be installed,” Heilbronn said.
Lauzon does have one puny chunk of advice: avoid installing your own onboard diagnostics, or OBDII, devices, which can monitor a car’s spectacle, provide Internet connections and other features. These devices can communicate with the vehicle’s internal systems but may rely on insecure wireless connections, he said.
What the WikiLeaks CIA files say about your car – The Washington Post
What we know about car hacking, the CIA and those WikiLeaks claims
The inwards track on Washington politics.
*Invalid email address
Tucked into WikiLeaks’ analysis of a trove of documents allegedly from the Central Intelligence Agency is a stunning line: That the agency has looked into hacking cars, which WikiLeaks asserts could be used to carry out “nearly undetectable assassinations.”
In making its claim, WikiLeaks links to meeting notes from two thousand fourteen listing “potential mission areas” for the CIA’s Embedded Devices Branch, which includes “Vehicle Systems” and “QNX.” The leaked documents, which The Washington Post could not independently verify and the CIA has declined to confirm, do not show up to suggest the vehicles be used for assassinations, and even WikiLeaks admits “the purpose of such control is not specified.”
The fear that your car can be hacked and made to crash is not fresh, and it’s not fully unfounded. Concerns about automotive cyber security have been raised since automakers began outfitting cars and trucks with computer-controlled systems.
Those concerns have been compounded in latest years as an enlargening number of cars come tooled with connections, including satellite, Bluetooth and Internet, that experts say make them more vulnerable to hackers who can then build up access to the computerized systems without ever stepping foot near the actual vehicle.
Here is what we know about hacking into and remotely controlling cars:
Vehicles have been hacked before
In 2015, security researchers Charlie Miller and Chris Valasek hacked into a two thousand fourteen Jeep Cherokee and managed to “turn the steering wheel, shortly disable the brakes and shut down the engine,” the Post’s Craig Timberg reported. The pair found they could also access thousands of other vehicles that used a wireless entertainment and navigation system called Uconnect, which was common to Dodge, Jeep and Chrysler vehicles. The hack prompted Fiat Chrysler to recall 1.Four million vehicles.
“It doesn’t show up that any manufacturers presently have detection/prevention methods for such attacks,” Valasek said via email Tuesday. “Remember, Charlie and I did all this research in our spare time with limited resources. ”
The Miller and Valasek hack is widely reported, but it wasn’t the very first or even most latest successful security breach. Researchers from the University of Washington and the University of California at San Diego published papers in two thousand ten and two thousand eleven showcasing that vehicles could be compromised when hackers build up access, either in person or remotely.
Last year, researchers in Germany released a probe demonstrating they could unlock and embark twenty four different vehicles with wireless key fobs by taking control of the device remotely and amplifying its signal, Wired magazine reported. While the wireless key fob was still on the kitchen counter, hackers could be driving off with the car, researchers claimed.
Yoni Heilbronn, the vice president of marketing at Argus Cyber Security, an automotive security company, said: “The equation is very plain. If it’s a computer and it connects to the outside world, then it is hackable.”
Hackers could crash your car, but it’s unlikely
Perhaps the greatest car-hacking fear is the idea that someone could take control of your vehicle and drive it over a bridge or into a brick wall.
The WikiLeaks release even renewed suspicions about the death of journalist Michael Hastings, who was killed in a single-car accident in Los Angeles in 2013.
“You could envision doing all sorts of things, such as waiting until the car is going above a particular speed limit and then apply one of the brakes or steer [the wheel] in cars for which you can control the steering,” said Stephen Checkoway, an assistant computer science professor at the University of Illinois at Chicago.
That fear is not without merit. As Miller and Valasek demonstrated, hackers have compromised some of the vehicle’s most critical functions and safety features before.
But those hacks require time and technical know-how to execute, making an attack something a run-of-the-mill criminal is unlikely to carry out, said Sam Lauzon, a researcher and developer at the University of Michigan Transportation Research Institute. What’s more, automakers are increasingly isolating the computers that control the vehicle’s most sensitive systems, meaning they cannot be breached even if hackers tap into other technologies, such as the entertainment system, he said.
“The likelihood of someone driving you off the road while you’re driving down the freeway is very slender,” Lauzon said. “Very slender.”
The WikiLeaks CIA documents did not emerge to suggest details on how the agency intended to hack into vehicles.
Your entertainment system is most vulnerable
Also listed in the WikiLeaks document of “possible mission areas” is QNX, a popular operating system for in-car entertainment and navigation technologies. Since 2010, QNX has been possessed by the company now known as BlackBerry. The system has been used in more than fifty million vehicles that range from Audi to Ford to Maserati, according to the company.
“Providing the highest level of security has always been at the core of our mission,” a BlackBerry spokeswoman said in an email. The company added that its security research groups permanently monitor software for vulnerabilities that need to be stationary.
Lauzon speculates that hacking the operating system could permit the CIA to track a vehicle’s movements, listen to conversations, or monitor other data that passes through the system.
The entertainment system is typically one of the most vulnerable to attack because it’s so very connected to the outside world, both Lauzon and Heilbronn said. Connections to cellular networks, Bluetooth, WiFi, etc. often come through the system, permitting you to play music, take phone calls, look up directions or connect to other applications.
It’s hard to tell when a vehicle has been hacked
The “nearly undetectable” assertion in the WikiLeaks claim likely stems from the fact that it’s difficult to determine when a car has been hacked, experts say.
“Today, manufacturers truly have no idea what’s going on,” Heilbronn said. “They have no idea if it’s been hacked or not.”
There is no mechanism to alert manufacturers when a car is behaving erratically or emerges to otherwise be compromised, Lauzon said. But technology companies and automakers alike have such technology under development.
“I haven’t seen one fitted on a vehicle at assembly time, but it’s something they’re looking into the feasibility of,” Lauzon said.
Automakers are aware of the problem
Today, Miller and Valasek work at ride-hailing company Uber. Auto manufacturers and transportation companies have scooped up a number of cyber experts in latest years, part of a concerted effort in the industry to build products with stronger security features.
Carlos Ghosn, the head of an alliance that includes Nissan, Mitsubishi and Renault, told a crowd in Washington last week that the employees building the alliance’s self-driving and connected car technologies are “surrounded by cybersecurity specialists who spend their time analyzing what could go wrong.”
“We take it very gravely because we know the end ticket to this technology is making sure that we’re going to reassure the regulator that you have a sufficient level of cybersecurity,” he said.
One of the challenges nagging automakers is how to update security software once it is installed in the vehicle. Cyber threats are always switching and upgrading a car’s security software through downloads — much as you would update the software on a smartphone — has only recently become feasible.
In 2015, auto industry players created the Automotive Information Sharing and Analysis Center to exchange information about cyber security threats and how to combat them. Then last October, the National Highway Traffic Safety Administration published a cyber security “best practices” guide for automakers with suggestions for building more secure vehicles.
Computers in cars are actually a indeed good thing
Before you rush out to buy a dated vehicle to avoid the latest technology, it’s worth noting the benefits of driving computers on wheels.
Many modern safety features depend on computers and software to function, including anti-lock brakes, lane-assist technology and automatic crash notification. They also help under the fetish mask to make the engine more energy efficient and provide conveniences, such as the capability to make phone calls with both arms on the wheel, Checkoway said.
“That they have enable fresh attacks is worrying, but on balance computers have improved safety,” he said.
What you can do about cyber threats
The brief reaction is not much.
As Heilbronn points out, car security is not like picking out Norton or McAfee anti-virus software for your laptop. Automakers have to build cybersecurity protections and software into the vehicle before it ever hits the road, and proceed to update those programs as fresh threats emerge, he said.
“Today, the average customer doesn’t have any skill as to what should be installed,” Heilbronn said.
Lauzon does have one puny chunk of advice: avoid installing your own onboard diagnostics, or OBDII, devices, which can monitor a car’s spectacle, provide Internet connections and other features. These devices can communicate with the vehicle’s internal systems but may rely on insecure wireless connections, he said.
What the WikiLeaks CIA files say about your car – The Washington Post
What we know about car hacking, the CIA and those WikiLeaks claims
The inwards track on Washington politics.
*Invalid email address
Tucked into WikiLeaks’ analysis of a trove of documents allegedly from the Central Intelligence Agency is a stunning line: That the agency has looked into hacking cars, which WikiLeaks asserts could be used to carry out “nearly undetectable assassinations.”
In making its claim, WikiLeaks links to meeting notes from two thousand fourteen listing “potential mission areas” for the CIA’s Embedded Devices Branch, which includes “Vehicle Systems” and “QNX.” The leaked documents, which The Washington Post could not independently verify and the CIA has declined to confirm, do not show up to suggest the vehicles be used for assassinations, and even WikiLeaks admits “the purpose of such control is not specified.”
The fear that your car can be hacked and made to crash is not fresh, and it’s not fully unfounded. Concerns about automotive cyber security have been raised since automakers began outfitting cars and trucks with computer-controlled systems.
Those concerns have been compounded in latest years as an enlargening number of cars come tooled with connections, including satellite, Bluetooth and Internet, that experts say make them more vulnerable to hackers who can then build up access to the computerized systems without ever stepping foot near the actual vehicle.
Here is what we know about hacking into and remotely controlling cars:
Vehicles have been hacked before
In 2015, security researchers Charlie Miller and Chris Valasek hacked into a two thousand fourteen Jeep Cherokee and managed to “turn the steering wheel, shortly disable the brakes and shut down the engine,” the Post’s Craig Timberg reported. The pair found they could also access thousands of other vehicles that used a wireless entertainment and navigation system called Uconnect, which was common to Dodge, Jeep and Chrysler vehicles. The hack prompted Fiat Chrysler to recall 1.Four million vehicles.
“It doesn’t show up that any manufacturers presently have detection/prevention methods for such attacks,” Valasek said via email Tuesday. “Remember, Charlie and I did all this research in our spare time with limited resources. ”
The Miller and Valasek hack is widely reported, but it wasn’t the very first or even most latest successful security breach. Researchers from the University of Washington and the University of California at San Diego published papers in two thousand ten and two thousand eleven displaying that vehicles could be compromised when hackers build up access, either in person or remotely.
Last year, researchers in Germany released a examine showcasing they could unlock and commence twenty four different vehicles with wireless key fobs by taking control of the device remotely and amplifying its signal, Wired magazine reported. While the wireless key fob was still on the kitchen counter, hackers could be driving off with the car, researchers claimed.
Yoni Heilbronn, the vice president of marketing at Argus Cyber Security, an automotive security company, said: “The equation is very ordinary. If it’s a computer and it connects to the outside world, then it is hackable.”
Hackers could crash your car, but it’s unlikely
Perhaps the greatest car-hacking fear is the idea that someone could take control of your vehicle and drive it over a bridge or into a brick wall.
The WikiLeaks release even renewed suspicions about the death of journalist Michael Hastings, who was killed in a single-car accident in Los Angeles in 2013.
“You could envision doing all sorts of things, such as waiting until the car is going above a particular speed limit and then apply one of the brakes or steer [the wheel] in cars for which you can control the steering,” said Stephen Checkoway, an assistant computer science professor at the University of Illinois at Chicago.
That fear is not without merit. As Miller and Valasek demonstrated, hackers have compromised some of the vehicle’s most critical functions and safety features before.
But those hacks require time and technical know-how to execute, making an attack something a run-of-the-mill criminal is unlikely to carry out, said Sam Lauzon, a researcher and developer at the University of Michigan Transportation Research Institute. What’s more, automakers are increasingly isolating the computers that control the vehicle’s most sensitive systems, meaning they cannot be breached even if hackers tap into other technologies, such as the entertainment system, he said.
“The likelihood of someone driving you off the road while you’re driving down the freeway is very slender,” Lauzon said. “Very slender.”
The WikiLeaks CIA documents did not show up to suggest details on how the agency intended to hack into vehicles.
Your entertainment system is most vulnerable
Also listed in the WikiLeaks document of “possible mission areas” is QNX, a popular operating system for in-car entertainment and navigation technologies. Since 2010, QNX has been wielded by the company now known as BlackBerry. The system has been used in more than fifty million vehicles that range from Audi to Ford to Maserati, according to the company.
“Providing the highest level of security has always been at the core of our mission,” a BlackBerry spokeswoman said in an email. The company added that its security research groups permanently monitor software for vulnerabilities that need to be immobile.
Lauzon speculates that hacking the operating system could permit the CIA to track a vehicle’s movements, listen to conversations, or monitor other data that passes through the system.
The entertainment system is typically one of the most vulnerable to attack because it’s so very connected to the outside world, both Lauzon and Heilbronn said. Connections to cellular networks, Bluetooth, WiFi, etc. often come through the system, permitting you to play music, take phone calls, look up directions or connect to other applications.
It’s hard to tell when a vehicle has been hacked
The “nearly undetectable” assertion in the WikiLeaks claim likely stems from the fact that it’s difficult to determine when a car has been hacked, experts say.
“Today, manufacturers indeed have no idea what’s going on,” Heilbronn said. “They have no idea if it’s been hacked or not.”
There is no mechanism to alert manufacturers when a car is behaving erratically or emerges to otherwise be compromised, Lauzon said. But technology companies and automakers alike have such technology under development.
“I haven’t seen one fitted on a vehicle at assembly time, but it’s something they’re looking into the feasibility of,” Lauzon said.
Automakers are aware of the problem
Today, Miller and Valasek work at ride-hailing company Uber. Auto manufacturers and transportation companies have scooped up a number of cyber experts in latest years, part of a concerted effort in the industry to build products with stronger security features.
Carlos Ghosn, the head of an alliance that includes Nissan, Mitsubishi and Renault, told a crowd in Washington last week that the employees building the alliance’s self-driving and connected car technologies are “surrounded by cybersecurity specialists who spend their time analyzing what could go wrong.”
“We take it very earnestly because we know the end ticket to this technology is making sure that we’re going to reassure the regulator that you have a sufficient level of cybersecurity,” he said.
One of the challenges nagging automakers is how to update security software once it is installed in the vehicle. Cyber threats are always switching and upgrading a car’s security software through downloads — much as you would update the software on a smartphone — has only recently become feasible.
In 2015, auto industry players created the Automotive Information Sharing and Analysis Center to interchange information about cyber security threats and how to combat them. Then last October, the National Highway Traffic Safety Administration published a cyber security “best practices” guide for automakers with suggestions for building more secure vehicles.
Computers in cars are actually a indeed good thing
Before you rush out to buy a dated vehicle to avoid the latest technology, it’s worth noting the benefits of driving computers on wheels.
Many modern safety features depend on computers and software to function, including anti-lock brakes, lane-assist technology and automatic crash notification. They also help under the spandex hood to make the engine more energy efficient and provide conveniences, such as the capability to make phone calls with both forearms on the wheel, Checkoway said.
“That they have enable fresh attacks is worrying, but on balance computers have improved safety,” he said.
What you can do about cyber threats
The brief reaction is not much.
As Heilbronn points out, car security is not like picking out Norton or McAfee anti-virus software for your laptop. Automakers have to build cybersecurity protections and software into the vehicle before it ever hits the road, and proceed to update those programs as fresh threats emerge, he said.
“Today, the average customer doesn’t have any skill as to what should be installed,” Heilbronn said.
Lauzon does have one petite lump of advice: avoid installing your own onboard diagnostics, or OBDII, devices, which can monitor a car’s spectacle, provide Internet connections and other features. These devices can communicate with the vehicle’s internal systems but may rely on insecure wireless connections, he said.