Imagine this nightmarish possibility: Al Qaeda terrorists cause thousands of motorists racing down a freeway during the morning commute to suddenly lose their brakes, leading to chaos, death and destruction. Implausible? Maybe not, some experts warn.
As cars and trucks have become laden with brainy devices to control such features as air bags and crash-avoidance systems, the vehicles have become increasingly vulnerable to cyber attacks, according to recent studies by university researchers and security companies.
One found that a car’s computer controls could be remotely accessed through their Bluetooth, Wi-Fi or OnStar connections, potentially enabling terrorists to simultaneously disable the brakes of numerous cars, corporate spies to eavesdrop on a motoring executive’s phone calls or thieves to electronically locate, break into and start cars they’ve targeted to steal. Another study showed how a car’s tire-pressure warning system could be wirelessly tricked into sending false alerts to drivers, which could prompt them to stop and fall prey to robbers following them.
Speculating that villains might short an auto company’s stock and then cause widespread problems in its cars, Ryan Permeh, a principal security architect at Intel Corp.'s McAfee division, added, “I can definitely imagine organized crime or potentially even nation states leveraging weaknesses in these functions to cause different kinds of havoc.”
Although instances of car hacking have been extremely rare, the threat has gotten the attention of automakers.
“We are very, very concerned,” said Chrysler spokesman Vince Muniga, adding that it is consulting with computer experts to identify “things that may be vulnerable in the future.”
Similarly, Ford “is taking the threat very seriously” and “working to ensure that we’ve developed a product that is as resistant to attack as possible,” said Rich Strader, the company’s director of information technology, security and storage.
The subject also has gotten the federal government’s attention.
“The National Highway Traffic Safety Administration is aware of the potential for ‘hackers’ and is working with automakers to better understand what steps can and are being taken to address the problem,” the agency said in a statement, adding that it has asked the National Academy of Sciences to look into the matter.
Because of consumer demand for entertainment, convenience and safety features in cars, automakers in recent years have greatly beefed up the technology in their vehicles. It’s not unusual for luxury autos to sport 70 computerized control units that monitor the engine, transmission and headlights as well as cabin temperature, air bags and cruise control.
Some cars even park themselves, or automatically brake to prevent collisions. But their various wireless connections can enable hackers some distance away to electronically infiltrate an automobile and take virtual control of it, experts have determined.
In a September report about the “emerging risks in automotive system security,” McAfee described the case last year of a disgruntled former employee of a Texas used-car dealership. By accessing the system the dealership used to remotely deactivate cars whose buyers failed to make payments, he created mayhem by blaring the horns and shutting off the engines of more than 100 vehicles.
Other problems could be coming down the road.
In a study last year, University of South Carolina researchers in one vehicle caused the tire-pressure warning system of another to send bogus alerts to its dashboard. Because such alerts could prompt drivers to pull over to check their tires, the researchers warned, “this presents ample opportunity for mischief and criminal activities.”
Another troubling flaw was uncovered by a security tester hired by an unidentified U.S. city, according to the McAfee report. After hacking into police car camera recorders, the report said, “he was easily able to upload, download and delete files that stored months’ worth of video feeds.”
Still more weaknesses were detailed in a study in August by the Center for Automotive Embedded Systems Security, a collaboration between UC San Diego and the University of Washington. It concluded that thieves could wirelessly command groups of cars to report their GPS coordinates and vehicle identification numbers, enabling the crooks to learn the year, make, model and location of the most expensive ones. Then, it said, they could steal those autos by issuing other wireless commands to disable their alarms, unlock them and start their engines.
Using a related technique, the study warned, corporate spies could listen in on the phone conversations of a motoring executive, or, more disturbingly, terrorists who previously had infected numerous cars with malicious software could later command the vehicles to “simultaneously disengage the brakes when driving at high speed.”
Andre Weimerskirch, chief executive of Michigan-based Escrypt Inc., which has been helping carmakers deter hackers, credited manufacturers for working hard to bolster vehicle security. But he said some independent dealers selling after-market auto parts aren’t taking the issue as seriously.
And while much has been learned about the ways crooks can compromise cars, Stefan Savage, a computer scientist who participated in one of the recent studies, said it’s hard to anticipate all the schemes that might be tried in the future, adding, “I would be quite surprised if there are not additional vulnerabilities.”
Johnson writes for the San Jose Mercury News/McClatchy.