If Your Car Has a Computer, it could Get Malware or Get Hacked
Anyone remember the good old days when we get computer viruses the old fashioned way? It goes like this. Someone inserts an infected floppy disk, probably a virus-infected operating system or program disk in a drive, the virus loads into memory once the infected program is run and later infects files and executables of clean floppies. Who needs the internet back then to spread malware? Now the same thing happens on a larger scale. Except today’s newfangled computer-controlled cars are the floppies and the automotive dealership’s computerized diagnostic tools act as the computer.
Someone, malicious or otherwise with a malware-infected car comes into an auto-shop or dealership and gets hooked up to their diagnostic equipment. The malware then gets uploaded to the equipment which, in turn, can spread to uninfected cars. A classic virus infection process. Is it possible? According to Craig Smith, author of the Car Hackers Handbook and founder of open source car hacking group Open Garages, it is.
“Once you compromise the dealership, you have a lot of control…” – Craig Smith.
Control of a lot of vehicles that is. The cars won’t exactly drive by themselves. But a malicious hacker could have potential control of hundreds of vehicles, play God and shut them down or trigger any type of chip-controlled annoyance. Worse if the hacker decides to mess with the brakes during the car’s speed run. Yes, car owners should be very nervous unless they drive the gas-guzzling classics that have no chips on them. Imagine if a car’s GPS system was integrated with another chip-controlled system? An enterprising hacker could shut down the car in the middle of nowhere and demand ransom from the driver just to get it running. Just like that remote-start feature shown in Die Hard 4 only this time, it won’t be 911 in the controls (unless that scene was put there just to emphasize connectivity). A real-world example would be that news where hackers were able to shut down a Chrysler Jeep Cherokee’s brakes resulting in the vehicle running off the road. The very same systems that keep the vehicle safe, secure and comfortable could be used against the owner.
Smith demonstrated the possibility at the recent Derbycon hacker conference in Louisville Kentucky using a PC and a very inexpensive tool he crafted that’s used to seek out vulnerabilities of automotive diagnostic systems. The theory is, that if hackers can find the right vulnerability in automotive diagnostic equipment by bombarding it with errors from an infected car, that vulnerability can be used to carry a malware payload that will then be transferred to subsequent vehicles. As more and more equipment and appliance manufacturers think it’s a good idea to add an internet connectivity feature, the more these hacking scenarios get easier. The closest scenario to Craig Smith’s idea was when a team from the University of California and Washington in 2011, tested an auto-dealership attack by hacking into the dealership’s Wi-Fi and later gaining access to the mechanic shop’s diagnostic equipment and gaining access to whatever car was connected to the equipment.
“…You just get through the Wi-Fi in the dealership’s waiting room, and the attack spreads to the mechanics shop. Any car connected to it, it would be compromised. If the goal is to create mayhem or plant some form of ransomware, then going after the dealership is a fine way to get a lot of cars…”
–Stefan Savage, professor, University of California San Diego
Automotive computers are specialized and not full blown computers that can be loaded with anti-virus or anti-malware programs. But they do have overwritable or updatable firmware, and that firmware can be infected with malicious code. So the best way to avoid the scenarios indicated above, at least for now is to use tools such as what Mr. Smith developed. Tools that check out auto-dealership equipment and the cars themselves. Smith and others like him may have just carved a piece for themselves in the security industry, but that piece goes into the hole the automotive industry created ever since they decided to add chips to cars.
Adding computers to cars created a security hole. That hole just got bigger when those computers became updateable via overwriteable firmware. Made worse when those computers became connected to the internet and can be controlled remotely. Who can blame Mr. Smith for potentially cashing in? But there are others who could do worse, and Mr. Smith and other researchers should be thanked for spreading the awareness of hackable vehicles and creating solutions.
Now that some parties are pushing for driverless, fully automated vehicles, their research becomes all the more important. We have prototypes for driverless cars and maybe someday driverless trucks. It might not be long before some madman actually makes one of Stephen King’s works a reality.