Late last month, a huge Distributed Denial of Service (DDoS) attack disrupted US internet traffic and shut down many popular websites including Twitter, Spotify and Vox Media. This was of course a concern to me because I could no longer read tweets from Taylor Swift and Justin Bieber. I could also no longer stream my favourite Lady Gaga song from Spotify.
With all the free time now on my hands, I noticed a significant portion of the attack came from infected Internet-of-Things (IoT) devices such as home routers, IP video cameras, and TVs. AT&T reported that although 20 car makers had cars with wireless services running through their network, they were all protected by their VPN.
Apparently, as cars become more connected and part of the IoT, the possibility that your car can be hacked will increase. At the same time, autonomous technology is also being added to cars at a rapid pace meaning that a hacker could potentially remotely control many of your cars critical functions and/or steal your car.
When I think about a “connected car”, I visualize a car phone, an attractive option on luxury cars from the 80’s when cellular phones were the size of suitcases.
Obviously this is no longer the case. Almost every single manufacturer offers some sort of connectivity even for their most entry level model. For example, every Fiat-Chrysler Automotive (FCA) product has an UConnect system that allows wireless connection through both Bluetooth and cellular pairings.
Tesla has taken this to the next level with Over The Air (OTA) software updates for their cars. Instead of having to bring, for example, a Tesla Model X into the dealership to resolve opening door issues, Tesla uses cellular radio to upload software updates directly to vehicles. From a security standpoint, this is a big potential risk as this also means that there is a potential risk to upload malicious software to the vehicle’s software system.
Theoretically, it would be possible to use a cellular device to unlock and start the car, disable the tracking GPS and steal the car. As more and more cars adopt cellular radios for updates, there will be a larger number of cars that can be stolen remotely.
Another related risk is that many cars today are sold with autonomous technology. Many people only remember news stories about autonomous cars crashing, such as the Tesla Model S fatality, or the Google Lexus crashing into a bus. However, the reality is that even entry-level cars have autonomous technology. For example, the Ford Focus has an option of a pre-brake system that can perform emergency braking when the car is on a collision course with an object. Luxury sedans, of course, have far more sophisticated systems including radar guided cruise control that can control throttle, braking, and steering functions.
When both autonomous and wireless technology are combined, it is possible that hackers in the future would be able to both break into, start, and drive away a vehicle remotely from the comfort of their homes. The Wall Street Journal recently reported the case of several Jeep car thefts where the perpetrators used a laptop to start the vehicles and steal them. Wired magazine also recently had an article where two security researchers, Charlie Miller and Chris Valasek were able to hack into a 2014 Jeep Cherokee and take control of the steering and throttle inputs.
WHAT CAN YOU DO ABOUT IT?
Clearly, it is only a matter of time before hackers are able to combine wireless technology to take advantage of autonomous car technologies. Fortunately, for the time being, only a limited number of cars are exposed to these vulnerabilities. Norton recommends the following security measures to prevent high-tech theft:
- Wireless systems. Make sure you are aware of wireless systems, such as cellular radio, or Bluetooth, installed on your car. Find out if the systems can be operated remotely. For example, sellers and security companies install engine shut-off devices.
- Car Computers. Make sure you are taking your vehicle to reputable dealers or garages, or are doing the work yourself.
- Passwords. Make sure the car computer password is changed from the default factory setting and that it is not stored in your car.
Cars are no longer the closed system that they once were in the pre-digital age. Instead, vehicles are now open systems like the internet, and also bring with it all the associated vulnerabilities and threats.