Don't Become a Car Hacking Victim

From one futuristic scam threat in last week's issue (having your mobile device hacked at a charging station) to another -- car hacking. Like juice jacking, as the mobile device threat is called, car hacking -- in effect taking control of the computer circuitry in your automobile -- is a very real threat. Just because hacking car computers hasn't happened "in the wild" yet, doesn't mean some crook hasn't got a plan to do so in the works. Experts warned about it as long ago as 2008 after researchers in California and Washington disabled the brakes, changed the speed readings, switched off the engine and locked the doors of several cars. They even demonstrated how an infected CD could be inserted into a car's player to take control of its safety systems. And while we could only imagine most of those actions being done for serious criminal purposes that don't touch most of us, the ability to steal or lock us in our cars (or out of them) and alter the speedometer has disturbing implications. 

One of the California researchers even said recently that hacking a car could enable crooks and snoops to listen in to conversations. The threat is only going to increase as computer chips are built into more car components, along with entertainment devices that automatically connect to the Internet via wi-fi and on-board communication systems like the hands-free technology called Bluetooth. We are all in what the auto industry apparently calls the age of the connected car. All cars built after 1996 must have a built-in diagnostic system that checks emissions and engine performance. And those built from 2008 on must have a communications network that keeps tabs on things like cruise control, antilock brakes and power steering. 

That, however, is not the problem. It's the introduction of other systems, ranging from video players capable of streaming movies from the Internet to vehicle tracking devices, that carries the threat by potentially allowing hackers who can get into these systems to "cross the bridge" into the car control systems. At a security conference in Las Vegas last summer [1011], two researchers demonstrated how they could tap into the network-based security system of a modern sedan, unlock it and start it -- from some distance away. This sort of activity has car manufacturers scrambling to improve security access on their vehicles, while the US Department of Transportation is planning to test new models to check if their computers can be hacked. Most recently, the National Academy of Sciences entered the fray after reviewing investigations on unintended acceleration of some cars. 

Although there's no suggestion this was caused by car hacking, an Academy panel said in January that while safety and entertainment systems in vehicles are supposed to be separate, "it is not evident that this separation has been adequately designed for cybersecurity concerns." And a recent report by the Bloomberg business news agency quoted the National Highway Traffic Safety Administration as saying: "The agency recognizes there are potential vulnerabilities, especially those related to future connected vehicles, that need to be fully understood and addressed." In the meantime, what can you do?
Well, at least one auto with this advanced connectivity is already on the market and Paul Lubic, a security blogger in this field, suggests that if you're buying a new car, you should ask if its systems can be accessed remotely and, if so, what security features have been built in. In particular, you will want to know if on-board devices use the security feature known as encryption, which basically masks it so hackers can't break into it. Don't expect the showroom sales person to necessarily know the answers right now (although they certainly will have to in the future). Do the homework yourself. A study by well-known consumer security outfit McAfee suggests the sort of things you want to know include:

1. Whether any board systems connect to the Internet and/or cellular networks. 
   
   
2. Whether there's a link between the GPS (if it has one) and the safety monitoring systems and where your personal GPS data is stored. 
   
   
3. Is there any on-board device that collects and stores information from your cell phone or other "smart" device? 
   
   
4. Can the car's security system detect an intrusion? 
   
   
5. Can personal data on any on-board system be cleared before you sell the vehicle?
   

You can download the McAfee report, Caution: Malware Ahead, for full details. 

And if you want to know which car Lubic says has this advanced connectivity installed, check out his blog post: Upcoming Cyber Security Threats Part 5: Hackers Controlling Your Car. 

In the future, it's likely that auto manufacturers will strengthen this security element on their vehicles but, according to Bloomberg, current models could be particularly vulnerable. However, you can console yourself in the knowledge that you're statistically more likely to get your auto stolen by a regular car thief than through car hacking -- at least, for now.