Sometimes news events just come together in a way that opens a window
– even if its a kind of cloudy window – onto the future. So it was this
week, as stories about a coming generation of wired automobiles
collided with some thought-provoking reports on the vulnerability of
said cars to traditional kinds of wireless attacks.
On
the wired-car front, there was that gadget-palooza known as the
Consumer Electronics Show (CES), which kicked off in Las Vegas this
week. As the ever-prescient Robert Scoble noted in a blog post today,
both Audi and Ford had a visible presence at the show, which is better
known for launching plasma TVs, juiced up media players and new DVD
platforms.
As Scoble rightly points out, “consumers are deciding
on cars on things OTHER than horsepower, handling and design.” Indeed,
increasingly its high tech features available inside the passenger cabin
that will tip the scales in favor of one auto over a comparable one –
and “no,” we’re not talking about cup holders here. (Though, let me
suggest to the folks at Subaru that the lovely 2010 Outback would
benefit from more of those, too! Really.)
What ikind of features
are we talking about here? Well, Scobel mentions “assisted driving
technologies” that are integrated into the driving experience, such as
voice-activated data and Web. Imagine realtime traffic feeds. Of course,
there are endless opportunities for Internet enabled media, like
Pandora and other lifestyle e-commerce sites. Scoble mentions OpenTable, or SpaBooker as examples of sites that might work deals with luxury automakers – kind of like OnStar, but for massages and food.
So
great, right? Of course…as with any radical expansion of
capabilities, there’s a concomitant expansion in the technology
-hardware and software – to support it. In the case of many of these new
media and driver assistance technologies that are being proposed, as
well as existing technologies like keyless entry that are already
ubiquitous, automakers are relying on vulnerable wireless communications
for critical functionality.
To that end, MIT’s Technology Review
on Thursday published a story ahead of the Network and Distributed
System Security Symposium in San Diego next month that claims
researchers in Switzerland have shown how keyless entry and ignition
systems can be easily hacked and used to open and even drive away in
vulnerable cars. The researchers tested two methods to defeat
keyless entry and ignition systems by snooping and amplifying the low
power signal from wireless keys, opening cars that weren’t close to the
keys.
The tools to carry out the hack cost between $50 and $1,000,
and worked with 10 vehicles by eight separate manufacturers that used
such keyless entry and ignition systems.
In a story from August,
researchers from the University of South Carolina and Rutgers
University in New Jersey used equipment costing approximately $1,500 to
build a programmable radio transmitter that could sniff and, in certain
instances, alter wireless tire pressure monitoring sensors (TPMS) used
on most late model cars in the U.S. The researchers found that the
sensors, which are required by federal law in new cars, had little or no
security to protect communications between wheel based pressure sensors
and an electronic control unit (ECU) that receives and transmits the
pressure readings to the car’s central computer and dashboard. “they
relied mainly on the fact that the communications protocol is not widely
published,” leaving the door open to wireless hackers, the report
concluded.Threatpost wrote about a similar study by researchers at the University of Washington and the University of California, San Diego, back in May of 2010.
Of
course, hacking “stuff” including IP-enabled cars was one of the five,
big security trends that we here at Threatpost identified for 2011.
That’s not to say that attacks against wired autos are likely to be a
concern any time soon.
Rather, amid all the euphoria and
excitement about the brave new world of Internet connected
transportation – we in the security technology community should be
giving voice to a collective “Whoa!” Web browsers and mobile operating
systems like Android and iOS are wonderful things, after all, but they
weren’t designed with the intent of guiding a 2,500 pound piece of steel
at 70 mph – nor even to operate alongside a system that is doing that.
And, if the early reports about vulnerabilities and weak security
implementations of wireless and other next gen features are an
indication, the automotive industry is in need of a wake up call about
the need for robust application and communications security going
forward.
