Several years ago, when Microsoft announced its intention to have its software installed in automobiles, my immediate gut reaction was, oh great, now we will have bug fixes, patches, crashes, reboots, updates, blue screens of death, and car hacking. Such has been the experience of millions of users of Windows software for decades – why would the user experience in cars be any better – or different? (and it if would be better, why are those improvements not yet present in desktop / laptop computers?)
Fast-forward to May 2010, when the New York Times ran an article that described the extent to which computer systems are at the heart of a modern automobile’s control systems. I am not talking about the navigation system here, but engine, brakes, lights, and other basic functions. A team of computer scientists from UCSD and UW demonstrated the ability to hack into a car and remotely control its basic functions, including starting, stopping, engine control, instruments, and steering.
Why hack a car
Your next question might be, why would someone wish to hack into someone’s car? Some reasons include:
- Theft. An intruder may wish to steal the car by hacking into its systems to disable the alarm, start the car, and maybe even remotely drive it for a short distance.
- Fun. Immature but technically talented individuals may derive enjoyment from their ability to take over the controls of a running automobile in order to alarm its driver.
- Harm. An individual or team may be intent on causing harm to the driver and/or passengers of a car by wrestling control of the car from the driver and causing the car and its occupants to crash.
The development of the Toyota loss-of-control matter has demonstrated to the public that automobile computer control systems are prone to malfunctions that can cause safety issues. Whether Toyota’s specific problems were proven to be related to onboard computer systems is irrelevant; the point is, that the crisis demonstrated that it is plausible that computer malfunctions can indeed result in potentially lethal safety issues.
Unsecure by design
The car hacking experiment conducted by UW and UCSD researchers was a proof-of-concept that was very time consuming to perform. The experiment proved that security controls installed in automobiles to prevent hacking are weak at best. Consistent with many other new technologies, computer systems in automobiles were designed with functionality in mind, and security given little or no consideration.
Easy to hack
Will car hacking always be difficult. Certainly not, and the firesheep tool is proof of this. Soon (perhaps already a fact for some readers of this article) there will be tools available for novice computer users who will be able to select from an array of nearby vulnerable cars, and be able to easily take over control of the car’s instruments, engine, brakes, climate control, navigation system and, indeed, practically everything in the car. There will probably even be an iPad version of this tool for hip hackers.
Toyota [allegedly] has proven that automobile electronics can fail all by themselves. UW and UCSD has also proven that automobile electronics have weak defenses. Firesheep has proven that easy-to-use hacking tools will quickly be developed and used. Automobile manufacturers need to adopt a secure-by-design principle in the development of all on-board electronic systems in order to minimize the threat of car hacking.
I think that I’ll stick with my 1991 Miata for the time being.