The modern automobile is a marvel of engineering, capable of so much more than just transporting people from work to home and back again. Based upon purely mechanical roots, subsequent generations of progress have added extensive electrical controls, advanced electronic systems and wireless connections to phones, the internet and – in the near future – other vehicles and the roads themselves. Your car is a computer, a communications hub – and a very attractive target for criminals.
Despite the increasing complexity of our vehicles, many Canadians are not aware of the risks they face. Any threat affecting a computer at home could just as easily affect a car parked outside. And even on the former point we are falling short: in a recent survey conducted by ESET on computer users in Canada and the US, 42 percent of respondents didn’t know what their internet security/antivirus software actually protected them from. And even though ransomware – malicious software that makes it impossible for you to access your personal files unless you pay up – has resulted in the loss of tens of millions of dollars over the past few years, fully 30 percent of those surveyed had no idea what it is.
Security begins with awareness. You’ve probably seen more than your fair share of spam over the years. You know not to click on internet links from someone you don’t know. However, sometimes just making use of a system – connecting to the free Wi-Fi at a coffee shop, for example – can expose you to attack. There’s often a trade-off between security and convenience, and only you, the driver, the user, can decide what’s right for you. What follows is a brief overview of the vulnerabilities you should be aware of and what you can do to minimize your risk.
What’s at risk?
For starters, the car itself. They could unlock the doors and steal it outright; or, just as ransomware can prevent access to your files, an attacker can also prevent access to your car, by locking you out, or by locking down the engine – holding it hostage without it ever leaving your driveway. Or they can hijack the controls, with you behind the wheel – as a couple of hackers demonstrated for a tech reporter last year. Experts have already come up with a catchy name: jackware, coined by Stephen Cobb, senior security researcher at ESET.
Or it could be your connected devices and the data you store on them. In this case, the threat posed is much the same as existing malware. They can lock you out of your phone, or steal your passwords and banking information.
Where are the vulnerabilities?
Once again, we begin with the car. In modern cars, almost all systems are interconnected. This is what allows a touchscreen in the centre stack to control the radio, display the parking camera feed and monitor tire pressure. Depending on the vehicle, an attacker may only need to penetrate one system – get their foot in the door – to access the rest.
In recent years, especially with hybrids and electric cars, manufacturers allow the driver to remotely check in on their vehicle to monitor the battery charge or turn on the climate control before passengers get in the car, for instance. In this case, every part of the chain – the manufacturer’s servers; the driver’s phone; the car itself; the internet connection between the car and the servers and the driver’s phone – is vulnerable to attack.
In short, the more connected your car is, the more susceptible it is to attack. It may sound dire, but these threats aren’t new. A large part of the research that goes on at automobile, device and software firms is dedicated to keeping these systems locked down and secure.
What can we do?
Most of the advice is common sense; they’re things you already know, just adapted to a different set of circumstances.
Back up your data: Computer experts have been saying this for years, decades even. It used to be that backing up your data meant countless hours spent with discs and hard drives. Today, with cloud services, it’s easier than ever. If you use a smartphone, chances are your photos are automatically backed up to a server whenever you’re connected to Wi-Fi. Same goes for your contact list and conversation history. Just make sure you know what’s backed up and what isn’t, and also know how to restore those back-ups when you need them.
Set a strong password (or use biometric verification, like a fingerprint): A good password can go a long way toward protecting your information. Unfortunately, strong passwords, such as those with mixed numbers and letters and symbols, can be difficult to remember; using your fingerprint provides a good, secure alternative. Yes, fingerprints get stolen all the time in spy movies and police procedurals, but it’s much, much rarer in everyday life.
Clean up after yourself: You wouldn’t leave your wallet in a hotel room, so why would you leave your information in a rental car? If you use the Bluetooth function in a car you don’t own, make sure you clear your phone from the list of paired devices and delete any personal information, including phone numbers, addresses, or text messages. Same goes for the GPS system.
Look before you connect: This goes for wireless networks (check the spelling of the network name), to physical ports (check for damage or modification to a USB port). As with ATM card skimmers, these attacks are designed to intercept your data. (A damaged USB port can also cause electrical problems with your device.)
Monitor your permissions: Bluetooth is vulnerable to many attacks, but most of us don’t think twice about which devices we’ve paired to our cars and phones. You wouldn’t give your house keys to a stranger, so check your Bluetooth paired devices list and scrutinize any unfamiliar entries.
What are the manufacturers doing?
Manufacturers implement the most secure system they can manage in their vehicles. However, that system comes under attack the moment the first unit rolls off the factory floor – or even before. Security, therefore, is a continuous process.
Threats can be identified by the manufacturer’s internal research teams or by a third-party, or discovered "in the wild". Some manufacturers work closely with university researchers, while others – such as Tesla and FCA – have standing “bug bounties”.
Depending on the vulnerability, the fix may be a simple software patch, or require new hardware. Based on the severity of the problem, a service bulletin or recall is then issued.
Can’t they design a fully secure system?
Imagine seeing this warning when you try to turn the A/C up.
Every modern computer system and network is designed to be secure. Security experts anticipate possible exploits and develop safeguards, but hackers base their trade in unexpected and novel attacks. To use an analogy, homeowners lock their doors to stop burglars, but deadbolts are of little use against the Kool-Aid Man.
Automobiles present an additional challenge in that certain operations are very time-sensitive. Imagine if you turned the steering wheel but the response was anything less than instantaneous. Secure systems are more complex – every input needs to be verified before it’s passed along to the relevant component, and there could be multiple stops along the way – and complex systems require more time to process data, which increases latency, or lag. Engineers have to carefully balance latency with security in their design, and there’s no simple solution.
Sometimes systems aren’t secure because the users demand convenience. Imagine having to enter a password just to change the volume of the speakers. That seems insane, until you consider that an attacker might crank up the stereo all the way to aggravate or distract the driver. Other features of the car undergo the same consideration – how often should the car check for the presence of a remote keyfob? Should the wireless password for the car’s hotspot change on a monthly basis? We take these security decisions for granted, but there’s an enormous amount of research behind them.
What happens next?
Why don’t they just install antivirus or security software in cars, just as they do with computers, you ask? Well, that may very well happen in the near future, according to the experts. Automobiles are at the level of sophistication where this type of software is becoming feasible and necessary.
That’s just the tip of the iceberg, however. Autonomous vehicles have started appearing on the landscape, while vehicle-to-vehicle and vehicle-to-infrastructure communications are expected in the near future. Automotive security is no longer limited to the automobile – the roads we drive on today are about to become a literal network.
