acm-header
Sign In

Communications of the ACM

ACM News

Car Hackers Could Drive You Off the Road (or They Might Settle for Money)


An electric vehicle plugged into a charging station.

Electric vehicle charging stations and their billing systems could give hackers a ride to the corporate network. Next stop, ransomware?

Credit: Pixabay

When Volkswagen (VW) recently revealed plans to quadruple its number of electric car charging stations and build a contactless payment system for the electricity, electric vehicle (EV) enthusiasts were thrilled. Europe's biggest automaker was shifting into aggressive catch-up mode, chasing electric vehicle market leader Tesla in an effort to quell drivers' range anxiety.

Yet as often is the case with any technological advance, the progress could come with pitfalls. To name one: as more EVs plug into charger billing systems, more openings are created for cyber hackers who might, for whatever reason, be looking for a way into the car.

This is not to pick on VW. The security implications are not lost on them, and surely they must be making things as impenetrable as possible as they multiply their number of supercharging stations in Europe to 45,000 by 2025.

Yet seeing a Reuter's account explaining that VW plans a new "Plug & Charge" system early next year that will allow a driver to use payment details stored in the car's computer system, we couldn't help but hear some alarm balls.

More than ever, cars are computers on wheels, whether they are fuelled electrically or conventionally. They are "things" on the ubiquitous Internet of Things (IoT), which means they are more than ever targets for hacking, as are the many other "things" on the IoT.

No one drove that point home more than "white hat hackers" Chris Valasek and Charlie Miller who, in 2015, remotely took over a Fiat Chrysler Jeep Cherokee. Up to that point, it was assumed that vehicular cyber break-ins required a presence in or near the car, but operating from Valasek's home in Pittsburgh, the two of them commandeered Miller's 2014 year model Jeep in St. Louis (roughly 600 miles away) as it was driven by Wired Magazine journalist Andy Greenberg for a story he was writing.

Using a Sprint mobile network, they broke in through the vehicle's Internet-connected onboard entertainment system, then wreaked havoc on Greenberg by shutting down the engine and disabling the accelerator while he was motoring along an interstate. They also blasted music at top volume from the sound system, cranked up the ventilation fans, set the wipers flapping, and doused the windshield with detergent. Later, when Greenberg was off-road at a slower speed, they also disabled the brakes (a short YouTube video catches all the unsettling action).

The widely publicized stunt led to Fiat Chrysler recalling 1.4 million cars, and to Sprint patching its network.

It's not easy

The good news is that the Miller/Valasek feat took considerable effort and know-how; it was not a prank for the casual hacker. As New York University (NYU) cybersecurity expert Justin Cappos notes, since the 2015 incident, car makers have fortified their systems. For instance, they have segmented a car's internal network, making it much more unlikely that a successful penetration could lead a hacker to any of the car's operations. The 2015 hack sent instructions to the vehicle's engine, brakes, sound system, and so forth via a rudimentary all-on-one-conduit known as a "CAN bus" (CAN stands for controller area network).

Charlie Miller—one half of the Miller/Valasek team—agrees with that assessment, noting Fiat Chrysler made a number of other improvements, including the addition of a gateway in a car's network, to help filter out spurious messages.

"If you look at this vehicle (the 2014 Jeep Cherokee) as an example, the security is much improved from when Chris and I examined it," says Miller, who now works with Valasek for General Motors' San Francisco-based self-driving car company Cruise. "Nothing is unhackable, but the amount of effort that it would have potentially required seems much larger now than it did then. I'm happy to see these types of improvements."

However, warns NYU's Cappos, the considerable improvements tend to apply to post-2015 year models, and not to earlier vehicles, such as the 2014 Jeep.

What's more, security is a cat-and-mouse game, with the good guys and bad guys constantly chasing each other.

Beware the wireless

Not only do modern cars use computers in all manner of operations including engine control, braking, steering, navigation, and multimedia systems, but they are rife with wireless connections. As any IoT hacker knows, wireless makes for a logical point of attack; cars are no exception.

Cappos, an associate professor of computer science and engineering in NYU's Tandon School of engineering, points out that a typical connected car has about a dozen wireless spots that, by the nature of wireless, open up potential vulnerabilities. Key fobs, Bluetooth music systems, tire-pressure-to-dashboard alerts, and telematics are all possible backddoors to a wireless hacker.

Not that it's easy, but as the cliché goes, if there's a will, there's a way. "And once you as a hacker get in, you can anything you'd like to do," says Cappos.

Like taking control as Miller and Valasek did?

"My biggest worry is criminal gangs building ransomware for cars to disable people's brakes," says Cappos, who believes nation-states already inclined toward hacking the telephones of journalists and dissidents might be willing to spend the considerable resources it takes to run cars off the road.

Cappos is not the only one thinking along those lines. To Blane Erwin, marketing manager of Fractional CISO, a Newton, MA-based information security consulting company, "What's scary and what we need to be the most concerned about is physical car control, that's where the real damage can be done. I don't want to be a fear monger, but if somebody had access to a fleet of vehicles and could command all their brakes to stop at once, we're thinking about a terrorist attack that could kill a lot of people at once, or injure people. Those are the systems that have to be protected: all of the physical car control—steering, braking and acceleration."

Erwin notes that while the technological challenges to remote hacking are formidable, a successful culprit could potentially hit a large number of cars, because an automaker will build the same defenses across different model lines. "If you can hack one, it's very likely you'll be able to reach many others, because with production-line assembly, all of these cars have the exact same system going out, and in some cases that even includes the same password and encryption keys for each vehicle made for a specific region," says Erwin.

Indeed, Fiat Chrysler's 1.4-million-car recall covered not just Jeep Cherokees, but also other Jeeps, as well as some models from the Dodge line.

Erwin believes the car industry has been doing a commendable job of addressing the security of connected cars, especially since the St. Louis/Pittsburgh "wake-up call."  However, regulators around the world, such as the U.S. National Highway Traffic Safety Administration, have yet to enshrine a clear set of security requirements, which must happen for safety's sake, he notes.

Your money or your network

Nefarious deeds of death and destruction aside, one security expert believes the more realistic danger is that cars could become entry points for hackers to penetrate corporate networks.

Sure, it's possible that the bad guys might smash cars into trees or use their evil ways to disrupt city systems like traffic lights, via hacking a connected car, "but are cyberattackers going to do that?" asks Elisa Costante, vice president of research for San Jose, CA-based security consultant Forescout. "To understand that question, we need to understand the gain. What is the return on investment?"

Costante surmises the real threat lies not in the armageddon of car wrecks, but in the practice of ransomware, the popular and malicious practice of freezing a corporate network until the company provides a rich payoff to the attackers. "It's a very clear business model for cyberattacker, because companies are paying," she notes.

Costante believes that the opportunities to hitchhike a ride from wired cars into the corporate network will increase, because not only are cars themselves becoming more computerized, but also because they will increasingly be connected to corporate networks, such as when they serve as an employee ID badge.

Electric vehicles also are being connected more and more to electric charger billing systems, which can be wired or involve a wireless element, such as what VW is planning.

"The car is becoming part of the extended enterprise," says Costante.

With that, the wired car could become "like the fish tank at the casino," she adds, referencing an event in recent hacking history in which a perpetrator accessed a casino's high rollers' database via an IoT thermostat in the casino's fish tank (the identity of the casino has never been revealed).

Miller and Valasek showed that cars can be spectacularly vulnerable; several other demonstrations with connected cars have proven similar possibilities. For the moment, however, outside of demonstration hacks, "I don't think there's a lot actually happening currently," says Cappos.

But it could, in which case it could be a matter of life and limb, or of bank accounts.

Mark Halper is a freelance journalist based near Bristol, U.K. He covers everything from media moguls to subatomic particles.


 

No entries found