How Hackable Are New Cars?

When buying a car, consumers look for crash ratings and the amount of airbags, but they're missing information about one critical key safety feature; the security of the car's computer network.

Security researchers Dr. Charlie Miller, a security engineer at Twitter, and Chris Valasek, Directory of Security Intelligence at IOActive, want to change that. In a talk at the Black Hat security conference in Las Vegas this week the pair presented a 92-page paper entitled 'A Survey of Remote Automotive Attack Surfaces'. They dug through the schematics of 24 different newer vehicles and found the more complex and integrated a car's network, the more hackable it became.

"The most hackable cars had the most [computerized] features and were all on the same network and could all talk to each other," Miller told Dark Readings. "The least hackable ones had [fewer] features, and [the features] were segmented, so the radio couldn't talk to the brakes."

The 2014 Infiniti Q50 was the most hackable car because of features such as remote keyless entry and a smarphone app were integrated with components that control the engine and braking, giving hackers an easy entry into the cars systems. The least hackable was the Audi A8, which does not have integrated networks and even has a security gateway to block outside commands from dubious radio sources.

Miller and Valsek also presented their findings to the Department of Transportation and the Society for Automobile Engineers hoping to bring to light the automotive industry's security oversight.

"You can grab a Consumer Reports magazine from a newsstand right now and see ratings for car safety features," Valasek told WIRED. "We're doing the same thing, but for vehicles' cybersecurity."

Last year, the pair of researchers teamed up to target to particular vehicles: a Ford Escape and Toyota Prius. They revealed how they could control throttle inputs, brakes, steering and other critical car functions, all while sitting in the rear seats. (You can see a video here). The current project is an outgrowth of the original -- they wanted to test the auto industry beyond two cars, Valasek wrote on his blog.