Motor Monday: Hacking Cars for Fun and Profit

Posted by: Matt Iasenzaniro onJuly 20th, 2015

Every three years the US Copyright Office holds hearings on whether certain technologies or activities should be exempt from the infamous Digital Millennium Copyright Act. A relevant example would be “jailbreaking” smartphones. If the Copyright Office hadn’t upheld the exemption for jailbreaking phones, that activity would now be illegal and a lot of people would be very upset. Well there are currently multiple hearings regarding the rights of people to hack and tune their cars, and the security industry isn’t too happy about it. A modern car has dozens of computers monitoring and controlling every aspect of the vehicle from engine to brakes and climate control to stereo. If something on your car can be measured, odds are good that there’s a sensor taking readings and sending the data back to a computer which makes a decision based on what it’s told. Now what if an entity other than the car had control of those systems? Well it’s a potential disaster, and that’s the argument OEMs are making as they push to protect their software from being reverse engineered by the public.

The hearings going on right now center around who can hack their cars, and what they can do with the information they find. Manufacturers argue that they currently have their own security teams looking at their code, as well as third party partners running independent tests, so there’s nothing to be gained by continuing to allow public researchers to tinker. In fact, they claim it will cause more harm than good. If researchers find a vulnerability and then disclose it publicly, now it’s in the hands of bad actors who can exploit it and cause problems. I guess they’re ignoring the fact that the bad guys don’t care whether hacking cars is illegal or not, and that a vulnerability in the hands of the public is safer than one only owned by a malicious party. The OEMs also argue that somebody at home could change the software controlling their brakes and cause a collision. Well, I can go out, pull brakes off a crashed car and have an uncertified idiot (me) use unregulated tools (my hands) to install them before going driving on the public roadways. What happens ifwhen I screw up and hurt somebody? Well I can only tell you that it’s a hell of a lot easier to see if software has been improperly altered than it is to see if the brakes on a totaled car were installed properly.

This issue is nearly identical to one the software industry deals with every day, where you’ve got hobby hackers poking and prodding your product for fun, looking for flaws. The de facto standard is for vulnerabilities to be disclosed to software makers first to give them a chance to patch their product before it’s made public and the potential for exploitation skyrockets. Some companies even go so far as to offer money to people who submit bugs and allow them to fix their product first. So why doesn’t the Copyright Office simply mandate something similar, where researchers are forced to disclose bugs to the OEM first? Well first of all, this isn’t software sitting on a device which is constantly connected to the internet. Only a fraction of new cars today come with internet capabilities, and even then I’m not sure any OEMs would push patches to them remotely. So any updates would require an owner to bring their car to the dealership, and they’re vulnerable until they do. So how long do you give security folk before they’re allowed to publish their work publicly? 90 days? 120 days? What’s the service interval on a new car? An alternative is to prohibit publishing altogether, but then what incentive does a car company have to fix their bugs? They assume that if the public doesn’t know about a flaw then nobody knows about it, and it’s the wrong attitude to have. The only people in IT who share that attitude are the few who haven’t been bitten by it. Here’s hoping car manufacturers can grow up before the public suffers.

Cars have had computers on-board for decades now, but hacking hasn’t really been an issue until recently. Back in the day hacking cars required physical access, using something like an OBD tool, USB stick or even an infected CD. Nowadays cars have Bluetooth, RFID, WiFi and cellular technology which broadens their attack surface dramatically, while making it easier and less risky for a bad guy to do what they want. Even then any water cooler talk of remote controlling a production vehicle was theoretical. However, in 2010 it became reality with a paper published by the Center for Automotive Embedded Systems Security highlighting how they managed to take over a car. Their 2011 paper on the same page has them similarly exploiting a car over cellular network. It’s super cool stuff to an enthusiast, maybe less so to the average car owner. The risks to the public right now are next to nothing, and a ruling either way won’t have a significant impact to the public. Having somebody remotely take control of your vehicle is a scary thought but I promise you it’s not something that you need to worry about right now. Once you start seeing dealerships do virus scans during service… maybe that’s when you can start panicking.

When he’s not busy writing about cars or travelling the auto show circuit, he’s reviewing apps and video games related to the automotive world. In his spare time, Matt is a motorcycle enthusiast, trying not to kill himself riding along with the crazy local drivers. He is also a weekly contributor in the Motor Mondays segment on News Talk 770.

Like / Share This Post

Tags: , , , , , ,