As cars become more like PCs on wheels, what's to stop a hacker from taking over yours?
In recent demonstrations, hackers have shown they can slam a car's brakes on at freeway speeds, jerk the steering wheel and even shut down the engine - all from their laptop computers.
The hackers are publicising their work to reveal vulnerabilities present in a growing number of car computers. All cars and trucks contain from 20 to 70 computers. They control everything from the brakes to acceleration to the windows, and are connected to an internal network. A few hackers have recently managed to find their way into these intricate networks.
In one case, a pair of hackers manipulated two cars by plugging a laptop into a port under the dashboard where mechanics connect their computers to search for problems. Scarier yet, another group took control of a car's computers through cellular telephone and Bluetooth connections, the CD player and even the tyre pressure monitoring system.
To be sure, the “hackers” involved were well-intentioned computer security experts, and it took both groups months to break into the computers. And there have been no real-world cases of a hacker remotely taking over a car. But experts say high-tech hijackings will get easier as automakers give cars full internet access and add computer-controlled safety devices that take over driving duties, such as braking or steering, in emergencies.
Another possibility: A tech-savvy thief could unlock the doors and drive off with your vehicle.
Security research company CEO Rich Mogull commented: “The more technology they add to the vehicle, the more opportunities there are for that to be abused for nefarious purposes.
“History keeps showing us that anything with a computer chip in it is vulnerable.”
Over the past 25 years, car companies have gradually computerised functions such as steering, braking, accelerating and chaning gears. Electronic throttle position sensors, for instance, are more reliable than the old throttle cables. Electronic parts also reduce weight and help cars use less fuel - but the networks of little computers inside today's cars are fertile ground for hackers.
Charlie Miller, a security engineer for Twitter, and fellow hacker Chris Valasek, director of intelligence at a Pittsburgh computer security consulting firm, cracked the computer systems of a 2010 Toyota Prius and 2010 Ford Escape through ports used by mechanics - although, even with their expertise, it took them nine months to do it.
Valasek said: “We could control steering, braking, acceleration to a certain extent, the seat belts, lights, hooter, speedometer and even the fuel gauge.”
Their report, which included instructions on how to break into the cars' networks, was released at a hacker convention in August. They said they went public to draw attention to the problem and get automakers to fix it, saying car companies haven’t put any security measures on the diagnostic ports.
Ford wouldn't comment other than saying it took security seriously, and pointing out that Miller and Valasek needed physical access to the cars to hack in.
Toyota said it did have added security - which it continually tested to stay ahead of hackers; it said its computers were programmed to recognise rogue commands and reject them.
“We could have turned the brakes off.”
Two years ago, researchers at the University of Washington and University of California in San Diego did more extensive work, hacking their way into a 2009-model mid-sized car through its cellular, Bluetooth and other wireless connections - even the CD player.
Computer science professor Stefan Savage said he and other researchers could control nearly everything but the car's steering.
“We could have killed the engine. We could have engaged the brakes,” he said.
Savage wouldn't identify the make or model of the car they hacked into, but two people who knew about the resarch said the car was from General Motors and the researchers compromised the OnStar safety system, best known for using cellular technology to check on customers and call for help in a crash.
GM wouldn't comment on the research, but said it took security seriously and was putting strategies in place to reduce risk.
CLOSING THE LOOPHOLES
One of the people said GM engineers initially dismissed the researchers' work, but after reading the report, quickly moved to close loopholes that allowed access to the car's computers.
Savage doesn't think common criminals will be able to seize control of cars electronically anytime soon - it would take too much time, expertise, money and hard work to hack into the multitude of computer systems found in a modern car.
“You're talking about a rarefied group with the resources and wherewithal,” he said.
Instead, he believes basic theft is a more likely consequence of computerisation, with criminals being able to unlock doors remotely and then start and drive the car by hacking through the diagnostic port. Remote door unlocking could also lead to theft of packages, phones and other items stored in a car. - Sapa-AP