All the frenzy over car-hacking would make more sense if the risks weren’t so easy to reduce: Just drive a simple car.
The threat of hackers taking control of cars has lately elicited perhaps more excitement than it deserves. The success of two security researchers in remotely hacking a Jeep – and taking over its accelerator while in motion – has prompted a class-action suit, a Senate bill to require vehicle makers to protect cars from such attacks, and a 1.4 million-vehicle recall, all without a single incident of malicious hacking.
That said, cars have long been susceptible to hacks. Consider, for example, keyless theft. Criminals have stolen thousands of cars – including David Beckham’s BMW X5 SUV in 2006 – by cracking the code needed to disable the immobiliser, a theft-prevention device that is obligatory in the EU and that 86 percent of cars in the US have. The immobiliser employs a radio frequency identification (RFID) chip that will not allow the engine to run unless the car’s original key, which transmits the necessary code, is present.
The car industry does not want people to hear too much about hacking immobilisers. Bloomberg News reported on Friday that Volkswagen, the world’s biggest car manufacturer by volume, had spent two years trying to suppress a report – now finally public – concerning a flaw in the chip that powers immobilisers. The paper’s authors, Roel Verdult, Flavio Garcia and Baris Ege, found three vulnerabilities in the Megamos Crypto RFID transponder used by Volkswagen, Fiat, Honda and Volvo. They said a successful attack took them about 30 minutes. Although those vulnerabilities are probably fixed, new ones will inevitably arise.
‘Attack surface’
Messing with the immobiliser is not the same as taking over the car’s entire computer system, as hackers Charlie Miller and Chris Valasek did with the Jeep. The more microprocessors a car has, the greater the “attack surface”, as security analysts call it. The Tesla Model S has 62 processors, about as many as top-flight BMWs, Mercedes, Audis and Lexuses do. There’s one in each airbag and each headlight. The processors are linked into networks so they can “talk” to each other and the networks are accessible from the outside through Wi-Fi, Bluetooth, cellular connections, RFID – every possible kind of communication technology.
Some of the chip-enabled functions are far from essential. The processor that runs the entertainment system, for example, might communicate with the one in charge of the anti-lock brakes to find out the vehicle’s speed and adjust the music volume accordingly. All these little computerised actions add up to a level of comfort drivers and passengers could not even dream of 30 years ago, but, to make them possible, engineers pile on potential vulnerabilities. A typical car uses 10 million lines of software code.
A successful attack requires time, equipment and expertise. So if you drive a scratched Ford with 125 000km on it, you might be able to console yourself with the thought that you’re not worth the trouble. Wealthy people have more to worry about: They’re more likely to have expensive cars, or covetous enemies who will not be above hiring hackers to commit what could be a perfect, undetectable crime. For everyone, not worrying about car hacking is like living with a “12345” e-mail password: For a long time nobody cares enough to break it, then suddenly it is too late and your account is sending out virulent spam.
I am no Luddite. I know driverless vehicles are likely to be everywhere within a decade, and I’m not particularly concerned about what might go wrong: Where’s the money in hacking them, unless you specialise in cyber security? Still, the trade-off of security for convenience should be made consciously. I will always choose cars with a minimum of gimmicky functions, and prefer ones with an old-fashioned key that you turn in the ignition. The ability to start the engine with the push of a button is definitely not worth the trouble of having the car stolen. – Bloomberg
BUSINESS REPORT