Sen. Markey Wants to Know: Can Your Car Be Hacked?
Sen. Edward Markey (D-MA) this week asked automakers what they're doing to protect vehicles from wireless hacking threats and privacy intrusions.
Thu, December 05, 2013
Computerworld — The growing integration of wireless technologies in automobiles has prompted some well-publicized fears about hackers taking control of cars to disable brakes and to take over navigation, steering, acceleration, tire pressure and other systems in a vehicle.
That prompted Sen. Edward Markey (D-MA) this week to ask what automakers are doing to protect vehicles from wireless hacking threats and privacy intrusions.
In a letter ( download PDF) to CEOs of 20 of the world's largest automakers, Markey asked a series of detailed technical questions about the vulnerability of vehicles to wireless security and privacy threats. Among the companies asked to respond are Ford, Toyota, Volvo, BMW, Chrysler, Mercedes and Nissan.
The letter pointed to a recent study by the Defense Advanced Research Projects Agency (DARPA) in which two researchers demonstrated how they could take control of a vehicle through the controller area network (CAN) used by devices in a car to communicate with each other.
The study, conducted by security researchers Charlie Miller and Chris Valasek, showed how attackers could send different commands to the electronic control units in a car and cause it to brake or accelerate suddenly or jerk its steering wheel in different directions.
In that study, the researchers needed physical access to the CAN bus to carry out the attack. However, previous research has shown that similar attacks can be carried out wirelessly by accessing the CAN bus through Bluetooth connections, compromised Android smartphones, vehicle tracking and navigation systems like OnStar and compromised files on music CDs, Markey noted in his letter.
Stuart McClure, CEO of Cylance, which performs security assessments for several companies -- including automakers -- said the auto industry is a prime target for hacking and disruption. "Many in the industry try desperately to stay ahead of the bad guys, but unfortunately, few guidelines and little oversight produce farm fresh opportunities for the bad guys," he said.
Few controls exist to prevent hackers from breaking into automobiles wirelessly and taking control of systems, McClure said. But because hackers are unlikely to gain much by breaking into individual automobiles, he said they're unlikely to spend much time hacking vehicles. The only scenario where such a threat would be likely is if someone wanted to carry out a targeted attack against a specific individual.
In addition to security fears, there are privacy concerns related to the use of navigation systems and technologies that gather vehicle performance information, Markey said in his letter.
As an example, he pointed to an OnStar proposal to sell vehicle and driver information such as location, seat-belt use, airbag deployment, speed and other data to third parties. Markey's letter also highlighted an incident in which Tesla Motors allegedly collected data about a reporter's driving habits during a test drive to rebut a negative review of the vehicle by the reporter.