Here's an interesting paradox: networked cars invite hackers and there's very little to keep the hackers out, unless you can build a firewall or install a firewall product and keep it up to date.
Yes, this does sound like a story about an IT shop keeping hackers out of the disk farm and blade servers but it is not. It's about cars and the things hackers can do now that more and more of them are accessing the Internet.
For example, Audi has offers WiFi connectivity to the Internet, as does Jeep. These additions have many hackers licking their lips. Aside from the hacker bragging rights about “taking down” a car other hackers are just drawn to the prospect of remotely controlling the actions of remotely controlling your car.
The nightmare that keeps auto IT managers up at night is a hacker with time on his or her hands and a cable modem. Because cars are open systems that are now being quietly hooked to the Internet via WiFi connections, it is easy for a decent hacker to access all the systems in a vehicle. They can easily shut down the braking system, enable the airbags, freeze the power steering, jam a car in a single gear or do all of the above. That's a real nightmare hack. It's one that keeps managers from resting easily.
Ed Adams, a security researcher at Security Innovations, a company that runs safety testing on cars, said frankly to CNN that the “Auto manufacturers are not up to speed...They're just behind the times. Car software is not built to the same standards as, say, a bank application, or software coming out of Microsoft."
Cars and CPUs go back a long way. The first analog computers, used in a limited manner at the time – 1977 – paved the wave for Ford's development of the first truly digital systems and electronic controls by 1983 with the EVC-I (Electronic Vehicle Control). Because the use of real CPUs was expanded radically by the new system, autos became more dependent on computerization than they had ever been before.
Joe Klein, a researcher at Disrupt 6, a security firm, told CNN that the “protocol (sic) to internal parts of the car were never meant to be connected to anything.” No, they were meant to operate in a closed system atmosphere. That, more than anything else, was the security umbrella that seemed so tight around the auto industry. The various electronic control systems and computerized systems were meant to work inside one car and one car only.
This brings us back to the auto industry's “nightmare hack.” In this hack, someone pokes around and finds a rolling WiFi system. The hacker – who may consider himself or herself riding at the edge of technology, like a cowboy – takes the information he finds in the rolling system and uses it to get into the victim car.
Any system is then open to the hacker as he is able to move around the innards of your car's computer system as easily as a garter snake moves through the grass. Worse for the car is that, unless there's a strong security presence or automated system in place, the car owner will never know the hacker has been there.
The nightmare hack dream usually involves the hacker taking control of the airbag system and keeping them from deploying, just as he freezes the brakes or the brakes on one wheel that causes the vehicle to sideslip right into trees or a utility pole. Meanwhile, the hacker can get into your car's electronic entertainment and/or automatic control systems and cause damage to your heater or air-conditioning, as well as other systems in your vehicle.
Lots of electronics
CNN's experts stated a long-held belief that cars are examples of an earlier era in technology. For example, they noted though many systems are up-to-date, many of the basic on/off switches still used in automotive systems today date to the 1970s or early 1980s – old technology.
Even the CPUs, that are used to control various systems, date from the late 1980s to 1990s. Chips you seldom hear of in computers today – Pentium, Z8000, and the like, are used throughout your car. Indeed, there are 50 to 100 of these systems used in cars today. They are used in everything from braking and airbag control to entertainment systems and climate control.
Further complicating the issue is the fact that most of the internal systems are multiplexed. In an earlier era – when systems did not communicate with one another in any way – designers believed that all a car’s internal systems had to work together so the car’s electronics potential could be maximized. Using a central electronics bus (analogous to a networking wire), applications designers rewrote their computer code to comply with a request that the doors and the trunk communicate with the safety systems and/or brakes. The result is something like a makeshift monument; there are lots of things hanging off the central bus, each of which talks to other systems via that bus. The bus, itself, was never meant to communicate outside the car.
WiFi Makes It Possible
Now that cars are joining the Internet, via WiFi and/or Bluetooth systems, the very systems that were never meant to talk with systems outside the car are open to the hacker with the right set of codes. There’s just no security, no authentication, notes CNN. Further, these systems are very complex and it is almost impossible to find how a hacker may slip in. Let’s face it, the average early space trip used only 150,000 lines of code, while today’s Android operating system has about 12 million lines of code. The average car has more than 100 million lines of code and no security trail. There may be service logs, but they are specific to the function to which they were intended.
The results, according to Disrupt6’s Joe Klein, are little short of disastrous. “The protocols and internal parts of the car were never meant to be connected to anything.” Car computer systems were safe in the 80s and 90s because the car was a closed system. However, just bringing WiFi (wide fidelity or over-the-air Internet) into the equation a weakness is exposed as the car’s interior “intranet” – for want of a better term -- is now accessible to anyone with a cable modem and the know-how.
Ed Adams, a security researcher with Security Innovations, an automotive safety research firm, noted, “auto manufacturers are not up to speed and … behind the times. Car software is not built to the same standards as, say, a bank application or software coming out of Microsoft.”
This leads to the nightmare that keeps auto IT managers awake at night, someone hacking directly into vital car safety systems or security/entertainment systems and causing mayhem on the road.