Yes, Your Car Can Be Hacked and Cars Can Get Malware: Car Computers Have Almost No Security

Send to Kindle

* * *

Today’s post is brought to you by LootCrate, a fun and value-packed monthly subscription service that brings you a surprise grab bag of cool stuff every month. Each crate costs just under $20 (including S&H) and is guaranteed to contain products valued at over $40. There’s no minimum subscription required and you can (easily) cancel at any time, this is no bait and switch. Advertisers make it possible for Digital Media Mom to bring you great content each day for free, so thanks for your support.

* * *


Today’s Cars Are Smartphones On Wheels

Car manufacturers have put a lot of time, money and effort into bringing as much tech as possible into their vehicles: not just the engine diagnostic computers cars have had in some form or other since the late seventies, but fully-functional entertainment systems with wireless and internet access. Unfortunately, automotive engineers were so busy trying to get the latest and greatest tech into consumers’ cars as quickly as possible that they didn’t put much thought into security matters. As reported on CNN Money:

– The 50 to 100 tiny computers that control your steering, acceleration and brakes are really dumb. They rarely conduct authentication, checking whether that message is really coming from you. An outsider can send them commands.

– The computer code in cars is outdated. It’s similar to the on/off switches used in industrial controls. It’s easily manipulated.

– Much like the human central nervous system, every electronic part inside a car is connected to a central spine. Tap one part, you can likely reach any other.

“The protocol and internal parts of the car were never meant to be connected to anything,” said Joe Klein, a researcher at security firm Disrupt6.

Cars’ computers were built safely enough back in the 1990s, when the car was a closed box. But their architecture won’t hold up as we hook them up to the Internet.



What Are The Risks?

As explained in this 2011 University of California San Diego paper, it’s actually pretty easy for a motivated hacker to take control of a car’s computer to do things like deploying the brakes, cutting power to the engine, unlocking the hood or trunk, or installing malware to the entertainment system, thereby setting the stage for infection of any devices the consumer uses with the car’s entertainment system/internet connection. This Computerworld piece reports that researchers have already successfully applied brakes remotely, listened in on cell phone conversations and more.

On top of these issues, there’s the matter of data collection and data privacy.

Senator Edward J. Markey (D-Massachussetts) was concerned enough about this problem to report security concerns to car manufacturers and ask the manufacturers to report on what, if any, security measures they were currently using or planned to use in the future to prevent hacking of consumer vehicles. The replies were not reassuring. You can read the Senator’s findings report here. Among the scarier highlights:

1. Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.

2. Most automobile manufacturers were unaware of or unable to report on past hacking incidents.

3. Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across all automobile manufacturers, and many manufacturers did not seem to understand the questions posed by Senator Markey.



4. Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most say they rely on technologies that cannot be used for this purpose at all.

5. Automobile manufacturers collect large amounts of data on driving history and vehicle performance.

6. A majority of automakers offer technologies that collect and wirelessly transmit driving history data to data centers, including third-party data centers, and most do not describe effective means to secure the data.

7. Manufacturers use personal vehicle data in various ways, often vaguely to “improve the customer experience” and usually involving third parties, and retention policies – how long they store information about drivers – vary considerably among manufacturers.

8. Customers are often not explicitly made aware of data collection and, when they are, they often cannot opt out without disabling valuable features, such as navigation.



How To Protect Yourself

Unfortunately, when it comes to the computer that controls your car’s mechanical functionality and collects data on vehicle usage, there’s nothing you can do. Those computers aren’t accessible to consumers, so it’s up to the car manufacturers to institute better security and controls. You can write your Congressman or complain to the manufacturer of your car, but it’s a safe bet that consumer demands for costly security improvements will take years to work their way through the legal system. You can also contact the manufacturer’s headquarters to ask for more information about what data is gathered by the car’s computer, with whom it is shared and how long it’s retained, but it’s not as if you can simply opt out of data gathering that’s built right into your car’s systems.

A computerized and connected on-board entertainment system is another story. Anytime you use your car’s Wi-Fi or cell connection, assume you have zero privacy—because in effect, at this point in time, that’s true. That guy or gal a couple cars over could be listening in, whether that means actually hearing your cell phone conversation or collecting and saving your texts and any data passed to websites through your car’s internet connection (e.g., usernames and passwords).


Sorry the news isn’t better, but at least now you know to assume your car’s internet and cell connectivity aren’t private, and are easily hacked.


* * *

And now……

Loot Crate is a monthly subscription service that delivers a grab bag of great stuff, much of it limited-edition or exclusive to Loot Crate, for $13.37/mo + S&H (which, as of this writing, is $6 for anywhere in the continental U.S.). Each Crate is guaranteed to contain products valued at $40 or more, there’s no minimum subscription requirement, and you can easily cancel at any time. The image below shows everything that came in the January 2015 “Rewind” -themed Crate.

Click here to read my detailed review of the January ’15 Crate, including links that demonstrate the retail value of the items shown.

Click here to sign up for Loot Crate – use discount code SAVE3 at checkout to get $3 off your first Crate!




* * *

Fire Tablet Tech Tip of the Week: The Mystery of the Re-Appearing Fire Content, Solved!

* * *


Print Friendly