Your Car’s Cyber Security Stinks

Yes, that is basically the summary of a Network World Article on the subject.

In a high end car there are hundreds of computers and millions of lines of software.  Gone are the days when you car was a big hunk of machined metal.

Now your car is a super computer network on wheels.

The patch that BMW released a couple of weeks ago and the hacking demo of the Tesla that opened the car’s doors while it was driving down the highway (see CNN article) are but two very public demonstrations of the vulnerabilities in today’s cars.

While some car owners have claimed that their cars have done very strange things while they were driving them, for the most case, the government and automakers have not been able to recreate them.  That doesn’t mean that the issues aren’t real.

Sen. Edward Markey (D-Mass) commissioned a study, the conclusion of which is that there is a

“clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”

Some of the trends in Markey’s study include:

  • Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.
  • These manufacturers collect an incredible amount of information about you and your driving practices over wireless networks, usually with no security and always with no rules regarding what they collect, how they use and and if they inform the consumer about their practices.
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.

The last bullet is the most concerning.  Only two out of twenty manufacturers were able to detect and respond to hacks in real time (of the 20, 4 did not even respond to the Senator’s request for information).  If your computer is hacked and it takes Microsoft 6 months to come up with a patch, you may have your bank account drained or your data erased, but if your car is hacked, you may crash into a tree at 60 miles an hour and be killed.

While no one is suggesting that this is happening today, the use of software in cars is growing geometrically and no one is really doing very much about the security.  Some of the demonstrations have used a laptop connected physically to the car (which a hacker could do with advance planning).  One even used an infected CD in the CD player.

What is clear is that, as Tom Cruise said many years ago in a different context, this is a target rich environment.

The automobile industry is beginning to work on voluntary activities regarding both safety and privacy, but none of those activities are mandatory.  If you read Sen. Markey’s study, you will see that for many of the questions asked, the manufacturers either refused to answer or gave vague platitudes.  Other questions were answered with answers that had little to do with the question asked.

Given that right now the hackers have their hands full stealing our credit cards, healthcare records and other personal information, it may take a few years before they figure out how to monetize hacking your car, but fear not – they will.  Just like hackers nuked Sony into the stone age or, on a small scale, cryptolocker encrypts your personal computer in exchange for ransom, what if hackers nuked your car.  You have it towed to the dealer and they say they have no idea.  For the most part, dealers do not have the technology to reprogram most of your car’s computers in the field, which means that they would want to replace those computers, costing you hundreds to thousands of dollars.  Even if it is under warranty, would the manufacturer cover that cost or say that this is not a manufacturing defect.  For sure, the lawyers would get rich.