Does hacking threaten motorists?
DOI: 10.1063/PT.4.0151
The 20 August Reuters report ‘Experts hope to shield cars from computer viruses ’ has been circulating, appearing, for example, on 9 September in at least one daily paper in the Tribune organization, with the subhead ‘Security engineers, automakers try to ensure electronic bug shields can prevent hacking.’
The article starts on a note of alarm:
A team of top hackers working for Intel Corp’s security division toil away in a West Coast garage searching for electronic bugs that could make automobiles vulnerable to lethal computer viruses.
Intel’s McAfee unit, which is best known for software that fights PC viruses, is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car.
It’s scary business. Security experts say that automakers have so far failed to adequately protect these systems, leaving them vulnerable to hacks by attackers looking to steal cars, eavesdrop on conversations, or even harm passengers by causing vehicles to crash.
‘You can definitely kill people,’ said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, a non-profit organization that helps companies analyze the potential for targeted computer attacks on their networks and products.
Scary? Harm passengers? Definitely kill? Though Reuters does stipulate that ‘there have been no reports of violent attacks on automobiles using a computer virus,’ the article never conveys the outlook or tone of researchers in an organization that it highlights, the Center for Automotive Embedded Systems Security . CAESS is a collaboration between the University of California, San Diego and the University of Washington, with the ‘research mission ... to help ensure the security, privacy, and safety of future automotive embedded systems.’
Concerning the sensible level of alarm, CAESS explains :
We believe that car owners today should not be overly concerned at this time. It requires significant sophistication to develop the capabilities described in our papers and we are unaware of any attackers who are even targeting automobiles at this time.
However, we do believe that our work should be read as a wake-up call. While today’s car owners should not be alarmed, we believe that it is time to focus squarely on addressing potential automotive security issues to ensure that future cars — with ever more sophisticated computer control and broader wireless connectivity — will be able to offer commensurately strong security guarantees.
The Reuters piece names two CAESS publications: ‘Comprehensive Experimental Analyses of Automotive Attack Surfaces ,’ an earlier version of which was prepared as a report for the National Academy of Sciences Committee on Electronic Vehicle Controls and Unintended Acceleration, and ‘Experimental Security Analysis of a Modern Automobile .’ CAESS outlines the context for these efforts :
Modern automobiles are becoming increasingly computerized — with many components controlled partially or entirely by computers and networked both internally and externally. This architecture is the basis for significant advances in safety (e.g., anti-lock brakes), fuel efficiency, and convenience. However, increasing computerization also creates new risks that must be addressed. Our research mission is to help ensure that these future automotive systems can enjoy the benefits of a computerized architecture while providing strong assurances of safety, security, and privacy.
Reuters mentions querying officials at Ford, General Motors, Chrysler, Toyota, Hyundai, Nissan, Volkswagen, and Honda, but offers little resulting information. The article reports, for example, that a ‘spokesman for Honda ... said that the Japanese automaker was studying the security of on-vehicle computer systems, but declined to discuss those efforts.’ Similarly, the article says that a ‘spokesman for the U.S. Department of Homeland Security declined to comment when asked how seriously the agency considers the risk that hackers could launch attacks on vehicles or say whether DHS had learned of any such incidents.’
In the end, this CAESS expression of the long view seems to merit quoting: ‘We believe that addressing these challenges will require a concerted effort from all relevant stakeholders, including not only researchers, but those in the automotive industry (manufacturers, parts suppliers and technology vendors), government, insurance companies, public interest groups, the public, and others.’
Steven T. Corneliussen, a media analyst for the American Institute of Physics, monitors three national newspapers, the weeklies Nature and Science, and occasionally other publications. He has published op-eds in the Washington Post and other newspapers, has written for NASA’s history program, and is a science writer at a particle-accelerator laboratory.