“Our cars have become more and more computerized. Keyless entry, ignition control, tire pressure monitoring, diagnostic controls, navigation and the entertainment systems are now computerized and subject to Internet or cellular access. A new car today can have as many as forty wireless access points.”  — Steve Weisman, USA Today

If you watch much TV, you’ve probably seen at least one show/movie in recent years where someone was killed or seriously hurt when someone/thing remotely took over their vehicle — i.e., by overriding the steering, disabling the brakes, messing with the wipers or radio, etc. — and caused them to crash. (An episode of “Elementary” comes to mind.) Or, you may have read an article in Wired or some other periodical or maybe watched a news segment in which such a situation was described. Is this a legitimate fear to have? Or, is it just fear-mongering by way of technophobia, paranoia, overactive imaginations, or merely overzealous journalism? Well, it depends who you ask, of course.

The FBI, Department of Transportation, and the National Highway Traffic and Safety Administration are concerned enough to have issued a joint-PSA. As per Wired,

“The FBI and DOT’s advice includes keeping automotive software up to date and staying aware of any possible recalls that require manual security patches to your car’s code, as well as avoiding any unauthorized changes to a vehicle’s software and being careful about plugging insecure gadgets into the car’s network…. The announcement also notes that drivers should be careful about offering physical access to their vehicles to strangers…. [A]nyone who suspects their car has been hacked [should] get in contact with the FBI, along with the car manufacturer and the National Highway and Traffic Safety Administration.”

On the other hand, the writer of a Scientific American article from last Fall finds the danger much overstated.

“In February 60 Minutes ran a story about a similar experiment. “Oh, my God,” the correspondent exclaims as her brakes stop working. “That is frightening!”

But would it have been as frightening if she had mentioned that this kind of hack requires a car with cellular Internet service, that it had taken a team of researchers years to make it work — and that by then the automaker had fixed the software to make such a hack impossible for vehicles on the road? …

Here’s the simple truth. No hacker has ever taken remote control of a stranger’s car. Not once. It’s extraordinarily difficult to do. It takes teams working full-time to find a way to do it….

Now let me hasten to say this: car security is serious. Not very many cars have built-in Internet connections today…but their number is growing…. [T]he industry’s concern over hackable cars isn’t misplaced. Researchers who try to break in are performing a valuable service in drawing attention to a potential danger….

Yes, new technology is always a little scary. But let’s not exploit that fear. Let’s assess the hackable-car threat with clarity, with nuance — and with all the facts. Today remotely hackable cars are still only a hypothetical threat.”

What do others in the software industry think? Steve Jones of SQLServerCentral.com, writing in “The Voice of the DBA” from 7/31/2017, isn’t so confident.

“I think this [Scientific American] piece understates the potential problems. I think that because once a hack is discovered, how sure are we that a) it will be reported to vendors (hackers might just exploit it), or b) that a fix will certainly be developed that works well and doesn’t cause any issues (remember 10s of millions of lines of code [in] current year cars), and c) consumers will apply the patch. That last item worries me, especially if cars become more connected and share data about operation or as we move to autonomous (semi- or total) vehicles.

Personally I’m not against code in vehicles. I’m not even against some connected systems. What I am against is a monolithic, tightly coupled system. I don’t want engine control or drive by wire sharing a network or code with a CD player or navigation system. I don’t want one computer controlling vehicular functions, entertainment, and climate control. I also want to be sure that there is some protection for all this data, to be sure it doesn’t overwhelm any system. I’ll also admit I like [the] idea of upgrading or replacing parts from different vendors, some of whom might do a much better job of building systems.”

Jones is just one voice, of course, but I think he brings up some fair concerns.

The staff at komando.com expand on the dangers of interconnected and/or autonomous vehicles:

“[F]or years automotive engineers have been talking about having cars in the same area communicate with each other. The idea is that if the cars know what’s around them it improves safety and make traffic more efficient. If you think a virus on a computer network is bad, imagine a virus on a network of multi-ton cars traveling at high speeds. The term ‘computer crash’ could become sadly literal.

Then there’s the almost certain arrival of self-driving cars….

This is a good time for the car industry to take a hard look at how critical car computers are protected. It should also take a page from the computer industry and how computer users deal, or don’t deal, with threats.”

Komando then goes on to echo Jones’ concern about people not applying available software patches — a common security problem for “regular” computers.

In addition to concerns about remote access to the vehicles themselves, Weisman, who is a lawyer and an expert on scams, makes this important observation:

“[W]hen automobile computer systems are tied to the car owners smartphone, the risk of the car being hacked as a way to get access to the car owner’s smartphone and all of the credit card information, passwords and financial data including banking app passwords stored on the smartphone is increased.”

Yikes!

All I can recommend, folks, is to follow the PSA’s advice re recalls and software updates (only trust the automobile manufacturer or your car dealer!), think twice about adopting new technology that hasn’t yet had its cyber-kinks worked out, and let’s be careful out there!

Tags: 60 Minutes, auto-hacking, cybersecurity, FBI, hackable cars, internet access, Komando, Miller and Valasek, Scientific American, Steve Jones, Steve Weisman, USA Today, vehicle taken over remotely, Wired

Posted in Science
No Comments Yet Posted by sirrahc