Car hacking recently made headlines when a pair of computer security experts remotely took charge of a 2014 Jeep Cherokee from miles away. Charlie Miller, formerly a security researcher for Twitter and now an engineer at Uber, and Chris Valasek, director of vehicle security research at IO Active, exploited a vulnerability in the vehicle's cloud-connected UConnect infotainment system to blast the air-conditioner, crank the stereo, turn on the wipers and even disable the transmission. The takeover, performed in a Cherokee that the researchers bought for their project, ultimately left the driver, a journalist from Wired.com, stuck on a crowded highway in St. Louis as a big rig approached from behind. That made car hacking big news.
The pair's exploits (along with a push from the National Highway Traffic Safety Administration) eventually prompted Jeep parent company Fiat Chrysler Automobiles (FCA) to issue a recall of 1.4 million vehicles with the at-risk infotainment system. On the same day that the Wired story appeared, U.S. Senators Ed Markey and Richard Blumenthal introduced legislation calling for new vehicles to be rated for cybersecurity in the same way they're tested for crashworthiness. Within weeks, the Jeep hack was followed by the discovery of additional connected car vulnerabilities by other "white hat" hackers, who were able to open the doors and start the engine of General Motors vehicles and shut off the motor of a Tesla Model S.
While the recent rash of car hacks may be enough for some consumers to consider buying a vehicle without any form of connectivity, the threat of car hacking is not as imminent and ominous as recent headlines suggest. For starters, malicious hackers still don't have much motive for targeting a car. Second, figuring out car vulnerabilities takes time, money and expertise.
Nevertheless, as vehicles incorporate increasing levels of connectivity, new car buyers should be aware of current and future hacking threats. That means knowing which vehicles are most vulnerable and what automakers are doing about problems. The incidents should also be a wake-up call for owners who tend to ignore recall and software update notices from manufacturers. Those fixes are the best defense against any software vulnerabilities in connected cars.
Hacking Takes Sophistication and Access
Most computer security professionals concede that anything connected to the Internet or "cloud," including cars, can be hacked. It appears that the first generation of connected vehicles, particularly those with built-in cellular modems, is most vulnerable. This includes the 1.4 million vehicles recalled by FCA and millions more with telematics systems like GM's OnStar.
But cybersecurity experts acknowledge that hacking into a connected car typically takes a lot of time and trouble.
"This isn't something you can just download, double-click on and attack a car," said Craig Smith, a security researcher who works with automakers and suppliers. Smith also founded Open Garages, a community for sharing and collaborating on automotive research.
"If you're a security researcher, you can do it. I could probably do an attack similar to the Jeep in about three weeks," he added.
"It's clear from the recent spate of car hacking incidents that the sophistication and time devoted to finding these exploits is pretty significant," said Andrew Poliak, global director of automotive business development at QNX, an automotive software supplier. "It's not your average hacker that finds easy ways to exploit a connected car. It takes an individual who really knows a lot, not just about computers, but also about automobiles, networks and a variety of things."
The Jeep hack required the updating of programs in the computer operating system for the UConnect infotainment system. Miller also had to take the Jeep to the dealer twice to replace the main computer, which he and Valasek "bricked" during their experiments. But the researchers' work ultimately did allow them to remotely control the Jeep Cherokee and, potentially, other Fiat Chrysler vehicles with the vulnerable system. (FCA said in its corporate blog that "there has not been a single real-world incident of an unlawful or unauthorized remote hack into any FCA vehicle.")
For the Tesla Model S hack, researchers had to disassemble the dashboard in order to access the car's computer and modify the software. These software mods allowed them to remotely lock or unlock the doors, open the trunk, start the motor and even move the car and power its systems down by sending commands over the Internet.
Hacker Samy Kamkar, meanwhile, came up with a device that he dubbed OwnStar. Kamkar showed that his device could intercept commands from GM's OnStar smartphone app, allowing him to open a vehicle's doors and start the engine, although it did not allow the vehicle to be driven. Troublingly, his hacks did not require physical access to the target cars.
"There are lots of ways that, if bad guys really wanted to mess with your car, [would be easier] than using hacking techniques," said Poliak. "In most cases, if somebody wants to take over the car, it's much easier to do it from the outside and tamper with the braking system or tires.
"That said, we can't sit back, because there's no room for error in making sure that the auto industry proactively prevents hacking vehicles."
Software Updates to the Rescue
Smith said that the auto industry is now going through the same learning process the computer industry dealt with two decades ago as computers started to become connected and hacked.
"I'm disappointed that more wasn't done as connectivity was being added to cars," he said. "Right now there are more vulnerabilities than there should be.
"We're in this spot where cars that are out now or will be soon haven't been designed for cybersecurity. So you have issues for existing cars, and you have issues that are being addressed for future cars."
To deal with current hacking concerns, automakers have been issuing security patches via software updates for vehicles that have known security risks. To update the UConnect 8.4 system that was the subject of the recent recall and address its vulnerabilities, FCA sent out a software patch on a USB drive to owners of affected Chrysler, Dodge, Jeep and Ram vehicles. (Edmunds used another remedy, downloading the software patch from FCA's site to a USB drive to protect the long-term 2014 Ram 1500 Ecodiesel.) Sprint, the wireless carrier for the UConnect system's cloud-based features, also blocked the channel of communication that had been used by the researchers.
In early September, FCA announced another cybersecurity recall for a potential hacking vulnerability in 7,810 2015 Jeep Renegades.
Meanwhile, GM used an over-the-air software (OTA) update to fix the bug that hacker Kamkar discovered in the RemoteLink smartphone app. Kamkar told Wired that the same vulnerability exists in remote smartphone apps for BMW and Mercedes-Benz, but said that he had not field-tested it with any of the makers' cars.
BMW told Edmunds that it addresses any potential security vulnerabilities via OTA updates that it developed in February 2015, after a German motorist association identified a security gap. Mercedes-Benz told Edmunds that it routinely checks vulnerabilities in its apps, "particularly those that might affect the safety of our customers, and to date no such vulnerabilities have been found."
"We know of no real-world instances where there was a breach," Rob Moran, director of corporate communications, said in an email.
For its part, Tesla sent out an OTA software update to the Model S to thwart future hacks similar to the one performed by security researchers.
"That's why security organizations I work with, like Open Garages and I Am the Cavalry, are pushing [for] over-the-air updates," Smith said.
He added that the Jeep hack illustrates two main issues affecting connected car security. While software can be easily updated, hardware that's designed years before a vehicle hits the market cannot. For example, Harman, which supplies the UConnect hardware that was the subject of the FCA recall, said the system was five years old and lacked security safeguards built into newer systems. Hardware issues are "very expensive to fix and are not going to be fixed overnight," Smith said.
Bounties for Software Bugs
The analogy between cars and computers only goes so far. Cars last a lot longer, for one thing, and they're also much more dangerous when they crash. With a PC, smartphone or tablet, a hacker exploits a security vulnerability and then companies send out a patch to fix it, Poliak said. It's a "hamster wheel of hack, patch, hack, patch, hack, patch," he said.
"While that may seem appropriate in consumer devices like PCs, as we get autonomous vehicles, there has to be zero tolerance to hacking," Poliak said.
Poliak said he noticed changes in the auto industry's approach to hacking even before the most recent incidents. "The number of cybersecurity divisions within car companies has gone up dramatically," he said. "If you look at all the major OEMs, you'll find somebody with the title of head of cybersecurity looking at the vehicle as an attack surface."
Smith said that he's also seeing more outside security researchers working with automakers. Miller and Valasek notified FCA about their Jeep hack so that the automaker could take steps to update the UConnect system. BMW, GM and Mercedes-Benz worked with Kamkar to quickly fix the issue with their remote apps. Tesla even met with hackers at the recent Def Con conference in Las Vegas and offered bounties of up to $10,000 for finding software bugs in its vehicles.
The Alliance of Automobile Manufacturers and the Association of Global Automakers, the industry trade groups that represent all major car companies, also recently formed an information-sharing and analysis center to pool knowledge that could help combat cybersecurity threats. The groups also plan to collaborate with industries such as banking and credit card companies that have dealt with similar issues.
No Incentive for Bad Guys — Yet
One reason there haven't been car hacks outside of the research community (with one notable exception) is that there's not a strong incentive for cyber-criminals. (The exception was a disgruntled car dealership employee who disabled more than 100 cars in Texas using remote vehicle-repossession technology.) Smith imagines scenarios in which someone could hold a connected car or the information it stores as ransom.
"You won't be able to start the car unless you come up with, say, $5,000," he said. "Or all the information stored by your connected car (your contacts, where you go, where you've been) could be worth a lot of money."
Another vulnerability arrives as automakers begin to offer drivers ways to buy food, lodging and other services via connected cars. Ford has an app that lets drivers order Domino's Pizza using voice controls and a smartphone, while OnStar's AtYourService feature allows a driver to book a hotel room on Priceline.com using voice commands.
"The issue is that information stored in or transferred wirelessly from the automobile can be compromised, as we have seen with previous hacks," said Thilo Koslowski, vice president of the auto practice at Gartner. "In the future that could include payment information. So while hackers today might focus on disabling and controlling vehicle functions, they could potentially expand to personal information, including payment data."
"Today the motivation for hacking a car is mischief, with an objective of hurting people or car companies," Koslowski told Automotive News. But he added that once shopping and other services are added as part of vehicle connectivity, "the car will definitely be viewed as a vulnerable device."