After purchasing my car, I wondered if I was going to regret my decision. At the car dealer, as I sat in the driver’s seat, the aviator style dashboard, array of digital displays, and innovative auto-sensing enhancements beckoned me to investigate further. As I was driving the car, I marveled at the plush leather seats and quick moving digital numbers of the speedometer jumping as I depressed the accelerator – my senses came alive. For 16-years, I have been driving a basic car with a plain dashboard, simple needle style speedometer, and creature comforts such as a AM/FM radio with a tape cassette. In my old car, I used to change my oil, replace my spark plugs, or fiddle around with the engine. Now, new automobiles have gone way beyond my capabilities as a do-it-yourself car mechanic. I have to take my car to the shop every time a fix it code appears on the dashboard display. I feel poorer after every visit to the mechanic because the new car requires a technician with a computer to diagnose my vehicle’s warning notifications.
Working for an antimalware security company, I am exposed to a lot of stories about criminals stealing credit card data and using the information to buy goods from retailers or online stores in order to resell them back out to the market or keep the stolen merchandise for themselves. I have read stories about organized crime syndicates banding together to take money from innocent people and have seen articles about entities hacking into databases to sell information to the highest bidder. It has helped me grow a thicker skin to reduce my fear, uncertainty, and doubt, but that is when it hit me! My new car is vulnerable to attack and I have no way to protect it. My new car feeling has taken a nose dive into the deep, dark abyss!
As I am looking down at my vehicle’s digital display, I begin to wonder what type of malware a car hacker would use if he wanted to mess around with my automobile. I imagine they could plug into my communications port to access my on-board diagnostics (OBD) and intermittently display some troubling diagnostics codes so I would have to drag it to the car mechanic. I begin to feel my wallet emptying out and I still have years of car payments left – a double whammy! This started my investigation into what car manufacturers were doing to protect vehicles from criminals. As I began to read through different articles about automobile hacks, I came across an old report from researchers at the University of Washington and University of California, who were able to gain control over vehicle components through the interface. That is not all, DARPA funded hack and wrote a paper entitled, “Adventures in Automotive Networks and Control Units“. It mentions that security intelligence experts were able to take control of the power steering, horn, and car dashboard. After reading these articles, the feeling of buyer’s remorse permeated conscience.
Random ideas would float into my thoughts. In a Ransomware seminar, I was thinking how criminals could extort money from me through a Ransomware attack. If criminals could create malware to lock you out of the car or make your vehicle inoperable, wouldn’t that be a big money making business for enterprising criminals? There are no reported cases of cars been subjected to a ransomware attack or a malicious code capable of holding someone hostage by disabling the car ignition, but my imagination is running on overdrive. I am also thinking the automobile industry is in really bad shape. While a security framework is available and encryption technology is helping to reduce vulnerabilities, I question whether the industry is able to adapt quickly enough to help protect vehicles from criminals who are trying to make money, make a political statement, or create a name for themselves in the billion-dollar hacking industry.
Malware hackers don’t care if they damage your car electronics, that don’t care if your car stops working while you are trying to get to your kids to music rehearsal, they don’t care if your brakes fail and you drive over a cliff – it is just collateral damage to them. The other day, I read another article that was about another hacker’s ability to disable the alarm on the Mitsubishi Outlander PHEV. By using the PHEV mobile application that connects wirelessly to the car, when the phone is in range, you can disable the car alarm and unlock the car. So what are car manufacturers doing to protect your vehicle from malware? Are they making sure your Android or iOS phone is scanning the applications for malware? The phone is becoming an integral part of the vehicle’s communication system and this could lead to a huge vulnerability.
Gartner predicts, by 2020, the number of connected passenger vehicles on the road in use will be about 150 million; 60% to 75% of them will be capable of consuming, creating, and sharing web based data.” Some journalist and analyst are seeing the convergence of the connected car to the Internet of Things (IoT). From your vehicle, you are able to turn on the lights of your home, turn off the alarm system, or unlock doors. The car has become an extension of your home with wireless devices able to interact your car’s communication system, so you can manage your house from a remote location. Since I connected my garage remote to my car system, I question whether I have made a good decision.
I am glad to still drive around old car even though it doesn’t have the dazzling lights and electronic comforts of a newer car. I can use my handy handheld tire pressure gauge and don’t have to be concerned with Tire Pressure Monitor system (TPMS) giving me a false reading. I can still listen to music and don’t have concerned about being attacked through an open wireless connection into my digital info-entertainment system. I don’t have to worry about GPS or my dashboard display being disabled by a criminal. I am still concerned with my criminals wanting to hijack my new car, but I feel better knowing that I have an old, reliable car. I hope Tier 1 and OEM automobile suppliers are considering ways to mitigate malware attacks by implementing Antimalware SDKs or scanning web traffic before data can access the Controller Access Network (CAN) Bus System. I am still left wondering about the future of automobile cybersecurity.