Why there is just no way we’ll ever keep hackers out of our cars.
Attendees at DefCon conference in Las Vegas last month sure had a lot to feel smug about. With the GM and Chrysler car-hacking stories fresh on the minds of the the general public, hackers were once again in the mainstream spotlight. Only this time it wasn’t just about big corporation data breaches…it was something that could affect everyone’s daily commute.
With the encroachment of the connected lifestyle into the vehicles we drive, experts are having a hard time keep ahead of security risks. This past July, Wired Magazine published an article describing what a mid-commute car hack would feel like. Two weeks later, the Washington Post picked up the story and it went large.
The story? Reporter-turned-crash-test-dummy Andy Greenberg volunteered to have his drive through busy St. Louis highways hacked en-route and the results were unsettling. Hackers were able to control every aspect of the Jeep Cherokee Greenberg was driving, including the accelerator and the brakes.
Should you be worried?
Car hacking has been on the minds of tech-savvy readers for years now. We used to simply worry about hackers stealing our cars but now with the Greenberg story we’re worried our next road trip will turn into a fatal disaster. Hacking can have many outcomes, but the reasons we used to think we were immune no longer reassure us.
For many the answer for a hack-proof car has been one or both of the following things:
- keyless entry cars
- electric cars
Keyless cars seemed impervious to hacking because they require presence of the key fob in order to run. Electric cars were simply impossible to hotwire because the technology of the car is completely different. The “wires” you need to connect would fatally electrocute you.
Keyless cars and hacking
Owners of keyless cars originally loved the idea that their vehicle could never be hot-wired. Matching computer chips from the car and the keyfob must be near each other in order for the car to start…you can connect all the wires you want but unless that keyfob is there, no dice.
But now that’s been proven wrong.
Just this week, news broke that Volkswagen keyless entry cars were vulnerable to hacking…and the car manufacturer has known about it since 2012! Seems the apps used by keyless car owners are vulnerable to hacking, allowing coders to “learn” the codes used by the chips used to start the car. No fob, no problem.
Electric cars and hacking
Electric cars have traditionally been though of as hotwire-proof. That’s because they require a continuous loop of current in order to keep moving…one which, without the keys to the car, must be made by hand. This requires genius-level knowledge, disassembly of the car, and lots of luck…oh, and the ability to withstand many amps of current running through your body as you complete the loop of current required to run the car while your partner drives it away. In case you need to brush up on the properties of electricity, it’s not something you want to happen. Count on having to wire yourself up to the car every time you need to drive it, too.
Now, however, hacking an electric car has been done via laptop. Of course this still requires access to the car so you can plug into the dashboard, but that problem is far less troublesome than the problems arising from electrocuting yourself during your theft operation.
The irony here is that your Tesla might still be “hotwire proof” if only it didn’t have web capability!
Browser updates have never been so important
The Tesla car hack was carried out through the browser used by the car’s infotainment system. In this incident, it was an outdated browser which contained a vulnerability security teams have known about for more than four years. Found in Apple WebKit, the vulnerability is called the Zero Day Exploit.
Webkit vulnerabilities can be found in Apple Safari, Android and Ubuntu, but the Teslas ran an outdated version of Safari. This back-door vulnerability has also exposed millions of Playstations, Android phones, and BlackBerries, as well as a host of other devices. Hackers gleefully install Trojans or anything they like, giving them control of the device.
It’s one thing to have your Grand Theft Auto vehicle taken over, but your actual car? Unthinkable.
It all comes down to what could be described as human error
The chips in the Volkswagens described earlier were using outdated encryption, exposing the security code to hackers. In this case, the breach means the car can be stolen but not controlled remotely.
Still, it highlights the unsettling fact that even with teams of highly paid experts designing the most technologically advanced cars in the world, it all came down to human error. After all, a simple matter of failing to have the latest version of encryption technology? That’s like failing to update your virus software.
And in the case of the Zero Day Exploit used by Tesla hackers…this is truly unforgivable, given this breach is five years old. By any definition, the Zero Day Exploit is ancient history in hacker world. The thought that an outdated browser paved the way for hackers to use this ancient relic is more than unsettling…it’s unacceptable!
It just goes to show that car manufacturers aren’t investing enough money into hack-testing the computer systems in their cars. Universities, security firms, and startup hackers are the people discovering the security breaches, not GM, Chrysler, or Tesla. And in the case of Volkswagen, it was actually employees of Volkswagen who discovered the flaw…but VW chose to sue them instead of thanking their lucky stars the flaw wasn’t discovered first by outsiders.
Hackers will never be stopped as long as car companies allow this amateurish level of oversight to occur. Heck, we can’t even stop car companies from issuing cars with deadly mechanical flaws…how will we ever force them to be on top of their game with cyber security? We have to face facts: there’s just no way we’ll ever keep hackers out of our cars.