In just several years, the concept of car-hacking has moved from theory and test environments into reality, as more recent demonstrations proved that control of certain vehicles can pass to a distant attacker, putting passengers’ lives in peril.
Significant findings on hacking vehicles have been publicly available since at least 2010, when researchers revealed serious weaknesses in the security system of a modern vehicle. Early research demonstrated the attacks with wired access to the car, assuming that remote communication with the car was possible because of the different wireless entry points available (WiFi, radio, Bluetooth, cellular). The experiments showed exploitation possibilities that extended to critical functions such as brakes, steering and engine. Later studies revealed that remote attacks on cars were possible.
However, it was Charlie Miller’s and Chris Valasek’s work in this area that started to draw the attention of the media and automakers alike to flaws in modern cars. The physical hack they performed on a Ford Escape and a Toyota Prius in 2013 included tricks ranging from influencing speed and steering, to spoofing the GPS and altering speedometer data. Two years later, they remotely exploited a Jeep Cherokee and gained access to braking and steering controls, making the attack probable in a real-life situation. The gravity of their findings led Fiat Chrysler to recall about 1.4 million units for security fixes.
A clear, positive outcome of all this is the fact that automakers have started to take IT security experts seriously and allocate resources to correct flaws reported directly to them or through bug bounty platforms as fast as they can; Tesla has such a program since 2015, General Motors and Fiat Chrysler followed suit the next year.
In 2014, BMW fixed a glitch in the ConnectDrive system that allowed opening the cars via mobile radio. In March this year, Hyundai patched their Blue Link mobile app against flaws that allowed a remote attacker to track, unlock and start a car that was paired with the software. Last month, Bosch announced an update for the Drivelog Connector dongle and its phone app. It helped prevent the remote stopping of an engine in a rolling car, and made it impossible to send random instructions that could physically affect the vehicle and its passengers.
Although studies have highlighted poor automotive security, there is comfort in the fact that remote car-hacking is complex and very difficult to accomplish. In all the cases, the researchers needed a long time to get the results and they had to get familiar with the car’s internal network architecture and communication. Also, special tools were required to intercept and inject messages for the car to ignore the driver’s commands and obey the hacker’s. Moreover, the same techniques do not apply to all models with the same results.
For now, taking control over a car remotely and at whim is just a movie stunt.
Photo credit: Harutmovsisyan for Pixabay
tags
November 14, 2024
September 06, 2024