Another day, another car hack.
Computerworld reported that hackers at the Usenix Security Conference demonstrated taking over a Corvette by remotely accessing a telematics device that plugs into the on board diagnostics port (OBD-II). These devices are often used by insurance companies to collect data on driving habits to figure out what insurance rates should be.
Progressive, for example, offers the potential of lower insurance rates if you use one of these devices – depending on your driving habits.
These devices use the cellular phone network to send data to, for example, the insurance carriers or fleet managers.
Because they have a cellular connection, they are now potentially vulnerable. If the car was not connected to an external network, you would need to have physical access to hack it. This is the downside to the smart automobile.
The hackers were able to connect to the device and take control of it. From there, they were able to issue commands to the OBD-II port that did things like turn on the wipers and apply the brakes.
While this is interesting, it is far less worrisome than the Dodge or Jeep hacks released recently.
All of these hacks point out that the CANbus, designed 30 years ago, is not secure. In the 1980s, car designers were not worried about cyber security. Unfortunately, that bus has not changed much since then.
The company that makes the device in question said that they have additional security, but it is not turned on by default – to give integrators flexibility. Now that their reputation is being damaged, they are going to turn it on. Although they don’t say this, they must be able to turn it on remotely. If you can turn it on remotely, could a hacker turn it off remotely?
The more interesting question is what other hacks exist that we don’t know about.
For example, could a hacker cause a car to crash or even catch fire by making it do things that it was not designed to do. I can think of several target markets for a capability like that.
I suspect that security is defaulted to off because turning it on makes programming or using it a little more difficult and after all, who would want to hack a car? Convenience. Security. Pick one.
Hopefully, all this attention on the CANbus (which the OBD-II port gave the hackers access to) will cause manufacturers to start looking at ways to improve security. Given that it is highly unlikely that we will less tech in cars in the coming years, if the manufacturers do not address it, the hackers will.
Unfortunately, as a consumer, there is very little that you can do to protect yourself. There is some legislation in Congress right now, but how that will turn out is not clear.
The good news is that there is so little standardization in technology in cars that a hack that works on a Ford won’t work on a Chevy, a hack that works on a Ford Mustang won’t work on a Ford Explorer and a hack that works on a 2012 Dodge RAM might not even work on a 2013 Dodge RAM. As car makers standardize to reduce costs, that benefit may be short lived.
Stay tuned – this issue is not going to go away any time soon.
Information for this post came from Computerworld.