• ETC
  • Jul 18, 2014

A car is no longer a car. It's a computer with wheels and an engine.

A telephone is not a telephone. It's a computer that makes phone calls. A refrigerator is not a refrigerator. It's a computer that keeps food cold. And a car is no longer a car. It's a computer with wheels and an engine.

Everyday items are no longer what we think they are, and we need to rethink those objects to help keep them secure, says a leading security expert. That includes the millions of new vehicles now being sold in dealerships across the United States.

Today's new cars come equipped with dozens of microcomputers connected by a network and run everything from infotainment systems to the engine itself. New technology has provided advancements in fuel economy, comfort and safety. But it comes at a price. Like any other computer system, the units inside our cars are vulnerable. Hackers can infiltrate these systems. Once they're inside, they can do anything from steal your data to control your car.

Automakers were slow to realize these growing risks, says Bruce Schneier, chief technology officer of Co3 Systems and a fellow at Harvard's Berkman Center, but they've better responded to these potential threats in recent years.
Hand with computer mouse and car

Schneier spoke at the Battelle CyberAuto Challenge, a week-long gathering of industry leaders, researchers and students pioneering automotive cyber security held in the greater Detroit area.

By 2017, industry analysts expect 60 percent of new cars around the world will contain connected capabilities.

Progress has been made, yet he said there are still dangers on the horizon. He foresees more complexity and potential dangers ahead as more connected cars reach the road and the US transitions to a traffic system in which vehicles talk both with each other and infrastructure. By 2017, industry analysts expect 60 percent of new cars around the world will contain connected capabilities.

"They're taking this seriously, and that's good, but we have a long way to go," Schneier tells Autoblog. "They last thing you want is for someone to hack into your computer and make your brakes stop working. As people have demonstrated, it's just like hacking into an email. It's no different. It's a question of whether you type the 'stop email' command or the 'kill the guy' command."

Hackers Can Control Cars

Although there are no documented cyber car attacks in the real world, studies have shown that cars can be hacked. In 2011, researchers at the University of Washington and California-San Diego teamed up to hack into a vehicle and disable its brakes, selectively brake individual wheels on command and stop the engine. The report noted the 'fragility' of the underlying system.

Last year, researchers at IOActive, a global computer security firm, breached network security in a Ford Escape and Toyota Prius. From the rear seats, they controlled every conceivable function of the cars, manipulating the steering, throttle inputs and dashboard indications. Together, the two studies are seen as big warnings for the industry.

Auto mechanic checking vehicle identification number of the car using laptop hooked up to the car onboard computer

Industry Wants OEMs To Share Data

Earlier this month, Delphi, Battelle, the Alliance of Automobile Manufacturers and the Association of Global Automakers created a coalition to address issues as they arise, and stressed that OEMs need to share information about potential cyber threats.

OEMs need to share information about potential cyber threats.

"Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats," Mitch Bainwol, president of the Alliance of Automobile Manufacturers, wrote in a letter to the National Highway Traffic Safety Administration.

Battelle, a national nonprofit research organization that melds business and scientific interests, wants to address those concerns. High-school and college students at the CyberAuto Challenge have been probing the potential attack surfaces and entry points of cars this week. Battelle asked them to sign non-disclosure agreements before participating so they couldn't speak in specifics about their experience. But what they have experienced has left an impression.

"With a car, you can do some things that are scary and exciting at the same time," said Keimmie Booth, a student from the University of Baltimore.

Future Systems Based On Cooperation

Going forward, Schneier said the problems automakers face are both mundane and frightening. One of the biggest challenges is the lifecycle of vehicles – the average American car on the road today is 11.4 years old, according to Polk Automotive data. Computers, of course, have a much shorter lifecycle.

The average American car on the road today is 11.4 years old.

"If I gave you a 15-year-old computer, it would be horribly insecure, and we don't really know how to deal with that yet," he said. "In a lot of ways, the auto industry is like the computer industry 15 years ago. It hasn't fully realized what it means to try and keep a computer secure. You get updates once a month for Windows. Do you have to get that for your car? Probably."

As the federal government partners with researchers in creating a traffic environment based on cars connected to each other and infrastructure like traffic lights, the implications for holes in that security become more ominous. Part of those preparations, Schneier says, must include how to detect and counter unwelcome intruders.

"How do we deal with a system that's based on cooperation that has an uncooperative element," he said. "How do you deal with a rogue car, when someone hacks into a car and puts in the Knight Rider mods? ... At lot of this is bigger than cars, but cars make it real and visceral."


I'm reporting this comment as:

Reported comments and users are reviewed by Autoblog staff 24 hours a day, seven days a week to determine whether they violate Community Guideline. Accounts are penalized for Community Guidelines violations and serious or repeated violations can lead to account termination.


    • 1 Second Ago
  • 13 Comments
      Aussie Aspie
      • 5 Months Ago
      It's funny how almost every automaker is tripping over themselves to get a foothold in the very same country (you know the one ... it's name is an anagram of "chain") whose government sponsors the world's most dominant cybercrime industry. You'd think with nearly 1.4 billion people they might actually be able to invent something on their own without stealing it, but obviously not. Every automaker knows who's ripping them off, but they just can't see past the $$$ and tell them where to stick it! If we dealt with them how we should, their biggest industry would return to making 50 cent socks for Walmart.
      Louis MacKenzie
      • 5 Months Ago
      This is just retarted. Just decouple the connection between the driving part of the car and the network connected part of the car. You shouldn't have to use a cellphone to unlock, park, turn-on, etc with a car. All those pieces should belong to a dedicated car controller key. In fact, if people are in capable of parking a car vehicle while they are in control of that vehicle, they shouldn't be given license to drive it.
        Mike
        • 5 Months Ago
        @Louis MacKenzie
        You really don't understand what hacking is. It's more than unlocking, it's being able to take full control over a vehicle. Drive by wire, it's not just you locking mechanism, it's your steering, brakes, accelerator, fuel / air mapping, etc. You realize people can watch you while you post online right?
      Car Guy
      • 5 Months Ago
      Other than some person with direct access to the OBDII port of your car, explain exactly how this is a "threat"? Has there even been a single case of a car being taken over remotely? The cars on the road now have about as much chance of being hacked as a home computer with no internet connection. Zero. This may be a problem in a few years when cars are networked V2V or V2I in some way but currently this is nothing more than media hype.
        neilyadig
        • 5 Months Ago
        @Car Guy
        Unless someone gains physical access to your vehicle. They're hacked the same way any computer with no internet connection are hacked.
          EntRisk Technologies
          • 5 Months Ago
          @neilyadig
          This is untrue. Some systems like Tire Pressure Monitoring System (TPMS) uses a wireless protocol like blue tooth. That can be hacked using an appliance sitting on the shoulder of a road. On-Star is another feature that can be hacked without an internet connection. Check out the analysis on this blog: https://entrisk-technologies.com/blog/ for more details.
          Jesse Gurr
          • 5 Months Ago
          @neilyadig
          How will you hack a car on the shoulder of the road using bluetooth? The car will drive away before you have a chance to hack it.
      johnbravo6
      • 5 Months Ago
      I've paid good money to have my ECU hacked with quite favorable results.
      PatrickH
      • 5 Months Ago
      "A car is no longer a car. It's a computer with wheels and an engine." Nah, my car's a car. I don't need all that BS and neither do most people. Enter at your own risk.
      knightrider_6
      • 5 Months Ago
      every thing is hackable - credit card readers at a store, bank website, email accounts, utilities, pump at your gas station, your smartphone or laptop We should not stop doing things because these is a remote chance of being hacked.
      • 5 Months Ago
      We covered this topic in a little more detail at: https://entrisk-technologies.com/blog/ This is a real threat, especially given the Internet of Things. There is not much consumers can do except apply pressure to the manufacturers to remediate this issue.
        Agilis
        • 5 Months Ago
        You just want to keep pushing your blog. Hacking of OnStar or any wireless technology utilized by a car can be hacked - but it takes extensive effort and knowledge and not just anyone can perform it. Hacking like this is very dynamic, and requires custom software or equipment. All the examples I have seen are proven concepts where the car has been prepped first. I have yet to see a car hacked from another car while driving in a timely manner and at speed. Sure the more the car goes wireless the more the car's systems are at risk but again, unless you possess the knowledge and expertise, it will not be routine and it will always be challenging.
    • Load More Comments