Auto Software Can be Hijacked by Hackers... or Even Terrorists

Last Updated May 14, 2010 5:37 PM EDT

A new study shows that cars are susceptible to malicious computer hacking. The authors didn't have terrorist opportunities in mind, but a highly placed computer security expert I contacted raised that possibility (cue the theme to 24). Beyond that, cars' increasing reliance on electronic controls has lent credence to the possibility that they're a factor in sudden acceleration cases.

Although most people worry about their cars getting stolen, few have given much thought to having them hacked electronically. But the average car has more than 10 million lines of code, and a new study shows that automotive software is no less vulnerable to malicious hackers or even terrorists than the average PC.

One useful feature of the coming electric cars is that they'll be remotely controllable from the Internet or a cell phone -- to set the time for a charging session, say, or to pre-warm the interior. Conventional cars will have similar capabilities. But that same interactivity is part of what makes them susceptible to the kind of malicious interference that launches computer viruses.

The researchers' conclusion is particularly interesting in light of the theory -- so far unproven -- that electronic interference is responsible for automakers' (and especially Toyota's) sudden acceleration epidemic. No one's suggesting that hackers are making cars accelerate out of control, but it is increasingly uncomfortable to realize the vulnerability of the electronics that control nearly everything they do.

The university-based authors of a technical paper entitled "Experimental Security Analysis of a Modern Automobile" point out that all new cars are "pervasively computerized." And they were able to "systematically control a wide array of components including engine, brakes, heating and cooling, lights, instrument panel, radio, locks, and so on." They were able to remotely disengage a car's brakes, as well as forcibly activating them, sending the driver lurching forward.

The professors from the computer science departments of the University of Washington and UC San Diego conclude, "We have endeavored to comprehensively assess how much resilience a conventional automobile has against a digital attack mounted against its internal components. Our findings suggest that, unfortunately, the answer is 'little.'"

Co-author Yoshi Kohno of UW told me:

[C]ars were mechanical devices, but now we're seeing more and more connectivity, and that means an increased risk. We wanted to get ahead of the bad guys, and point out the potential security risks if someone gets on the car's internal network.
Stefan Savage, a co-author from the University of California, pointed out that PCs in the 1980s and 1990s had "lots of vulnerable software," but a real security risk ensued when that was coupled with massive broadband availability. "We need to harden the cars' interfaces ahead of time," he said in an interview.

Alan Paller is director of research at the Sans Institute, a computer security training group whose clients include the NSA and FBI. He said that the Internet capabilities of modern cars are being engineered for the convenience of the user, "and they forgot about security, they forgot about the bad guys."

According to Paller, we are entering the age of the "smart appliance" (including stoves that will be reaching 350 just as you walk in the door) and the car is one more of those. As cars get more interactive, he said, it would be technically possible -- if not yet likely -- for a sophisticated terror network (the kind that operates routinely on 24, for example) to stop all cars on a key bridge (located through GPS) and bring an urban economy to a standstill.

The solution? "The automakers need to bake in more security right now," Paller told me.

Mike Bright, a computer engineering professor at Grove City College in Pennsylvania, said that terrorists are likely to be more interested in "big plays" such as attacking a nuclear power plant, so your antagonist could be a disgruntled neighbor simply messing up your car's fuel economy--or making it impossible to start. "I'm surprised there haven't been more hacks with electronic key fobs," he said.

David Orenstein is a spokesman for the school of engineering at Stanford, which is working with Volkswagen on remotely controlling cars. These "autonomous driving" experiments include a planned run up Pike's Peak in an Audi, and automatic parking in a VW wagon. "It is probably safe to say, according to security experts at Stanford and elsewhere, that every computer system on the planet has some vulnerability," he said. "And that can pretty much extend to cars, which are also hackable to some degree."

Stanford's autonomous cars are "Junior" and "Shelley." They represent millions in investment, so could someone with an Apple notebook hack into their control systems and remotely pilot them back to a criminal lair? "I think if they were sophisticated enough to hack in, they'd be sophisticated enough to steal it in a more conventional way," Orenstein said.

Photo: VW of America