Who’s Driving?

Its 2012 and you’ve just bought yourself the latest and sportiest version of a “whatevermobile” and you can’t wait to show it to your executive buddies and trophy girl friend.

It has the latest stability control and an LCD instrument cluster that is completely customizable.  There is the very latest GPS that makes last year’s version seem like a paper road atlas.  Roaming WiFi ensures that you can stay in touch with the ever present demands of your profession and provide you the ability to delegate anything but the most choice work assignments.

This car will ensure that you don’t fall asleep, tailgate, hit a pedestrian, or miss a turn, even at night in the rain.  No matter how aggressively you apply power it will always get you around the most difficult corner and still keep the cabin stable on the chassis.  It is a dream come true for you.

At least until today.  At least until now.  Something has dramatically changed. It is as if the car has a mind of its own.  You are just trying to figure things out when all the door locks cycle through and lock themselves.  Then your instrument panel lights up with a message.  You’ve been car-jacked.  The car is being controlled – but not by you.  A jab on the brake pedal feels like it should but nothing happens.  The message on the dashboard tells you that you have a bomb on board and that you must transfer funds from your financial accounts via WiFi if you want it disarmed. 

There is nothing you can do but obey the demands.  Your accounts are wiped out and you are locked for eight hours in the car.  By the time the hackers have released you it is too late to apprehend or even trace them.

Does this sound like an implausible movie script?  Today’s cars have become far more sophisticated and complex than you can imagine.  Many of these “improvements” are mandated by government regulations and along with all this sophistication come vulnerability.

Back in 2007 the chief security engineer for Inverse Path Ltd. worked with the company’s hardware hacker to break in to an automotive satellite navigation system.  They used off the shelf equipment to transmit code number alerts over Radio Data System (RDS), a European standard used in North America that allows FM radio stations to provide traffic information and identify the radio station to the listener.  The RDS system isn’t encrypted nor is it authenticated. 

In November of 2009 researchers from the University of Washington and the University of California were able to hack into a moving car and change its speed and turn off its brakes using an application called CarShark.  The researcher driving the subject car described the unsettling feeling of having complete loss of control.  He got full resistance from the brake pedal, but nothing happened.  The setup allowed the hackers to remotely turn lights off and on selectively, operate windshield wipers, honk the horn, pop the trunk, rev the engine, disable specific cylinders, engage individual brakes, or completely shut down the vehicle while it was in motion.

This past March, Omar Ramos-Lopez, a twenty-year-old disgruntled former employee of Texas Auto Center in Austin remotely disabled over 100 cars owned by customers by cyber-jacking the Pay Technology black boxes that the dealer installed in its high-risk customer’s vehicles. 

A lot of amazing features exist in our cars and more are being piled on with every model change, just be aware that so far little or nothing has been done to secure those features from attackers.