When hackers step on the brake

Sven Krumrey

As a child, I loved Knight Rider (it's OK to laugh), the suntanned hotshot Michael Knight and his wonderful car. K.I.T.T. was equipped with artificial intelligence while my dad's car could only signal when it was out of oil and sometimes, it even "forgot" this feature. We've come a long way since then, engineers are now working on self-driving vehicles and modern cars, stuffed with sensors, are more like driving computers. But what was originally intended for better comfort and safety is turning into a security problem.

K.I.T.T. - My childhood dream

Modern cars are supposed to offer comfort, safety, even entertainment and that often requires online connectivity. Automated locking mechanisms, tire pressure sensors and comparable systems all use radio frequencies and don't forget the traffic jam service that constantly needs to stay up to date. If you can connect to your car via Bluetooth or WLAN so can others. Do you have an app for your car that lets you turn on the heat or plan destinations in advance? Shady characters will find this very interesting and they usually come equipped with laptops and all the latest technology.

It's the CAN (Controller Area Network) bus, the part that provides extensive cross-linking for all device controllers, that is frequently at the core of this issue. Once hackers gain access to this nerve center, things get serious. As different systems have to communicate with each other, it's not overly hard to transition from one part, e.g. entertainment, to more vital systems such as the brakes. At least that's what current examples show that stem from scenarios in which the various systems were not effectively separated. And don't forget, even if an attack is not immediately life threatening, there's still a chance that private user data will get stolen. The more features a car provides and the more we use them, the more lucrative potential attacks become.

Not all hackers wear masks, mind you

Even simple comfort features found in so-called keyless systems have serious flaws. These cars use radio signals to detect the proximity of your keys and unlock their doors and ignition once you approach them. Experts (including car thiefs) have come up with a simple trick: While you're waiting, e.g. at the counter in the gas station, a guy happens to stand right next to you with a receiver and transmitter in his pocket that relays the signal to your car. It's then incredibly easy to open and make off with your car without causing scratches or a stir. Put badly: Keyless systems not only make getting into your car easier for you but also for the bad guys.

"Over the air" is another term frequently heard in discussions about modern cars. What sounds like a plane trip is actually software updates delivered to cars via mobile connectivity. It's a great system since it enables modifications to safety relevant systems that become active the moment you start your car, there's no more need to visit a garage. This gives manufacturers a way to respond to software bugs as fast as possible and may render many recalls unnecessary over night. The downside of this feature recently hit Tesla whose S models were attacked by hackers in this way. Tesla reactedm the security hole was fixed but only time can tell how long the fix will hold and how many other manufacturers will ultimately be affected as well.

The wireless update for car software

Car manufacturers apparently need to learn from their mistakes. Officially, every system is safe until proven otherwise. Two specialists recently hacked a Cherokee model from the Fiat Chrysler group using the infotainment system as their entrance point. They were then able to remotely control brakes, acceleration, door locks, air conditioning and windshield wipers. A nightmare for whoever was in the car at that time. Tesla's response was swift, 1.4 million cars were recalled and the security hole got fixed. Thankfully, these were well-meaning hackers that expose security risks for public benefit and don't mean to cause any harm. That won't always be the case!

Yet, the individual risk is currently quite small. It takes a lot of effort to implement these hacks and requires considerable knowledge and resources since every manufacturer uses different security mechanisms. There's simply no universal approach, no common, easily exploitable security flaw that affects all models. But experience shows that criminal minds can manage considerable technical achievements. Drivers can only hope that, while companies take advantage of technological progress, they don't lose sight of potential risks.

And if you're wondering whether the drivers in front of you have just been hacked: Unlikely, they really drive like that.

<strong>Author's side note:</strong>
During my research, I've naturally come across detailed descriptions of how to implement these hacks. I've decided not to include them in this article so that my readers don't get any ideas!
Back to overview

Write comment

Please log in to comment