Cars are modernazied in safety but not in security

We are living in an era of modern technology. Computer chips, embedded in all aspects of our daily lives, have made it possible to have access to all kinds of information when and where we need it. The automobile industry is adding features and packages that add more conveniences and ability to improve the driving experience.

People want to be connected even in their cars, which is motivating automobile manufacturers to add more unification between cars and personal devices such as smartphones and tablets. Modern cars have the ability to be remotely started by a mobile phone, using a connection from the car and a request to start it from the key holder, through cellular network services or the Internet. This is just one example of how cars are computerized and connected.

Modern automobiles contain upwards of 50 electronic control units (ECUs) networked together. The overall safety of the vehicle depends on communication between these various ECUs. While communicating with each other, ECUs are responsible for predicting crashes, detecting skids, performing anti-lock braking, etc. By re-programming these (ECUs) a car can be hacked and the attacker gets the full control of your car and can even kill you, sounds weird but it’s possible.

Last year, researchers at the University of California, San Diego, and the University of Washington demonstrated that critical safety components of a vehicle can be hacked if physical access to the vehicle’s electronic components inside the passenger cabin is available. Charlie Miller and Chris Valasek are two security experts that were funded by Defense Advanced Research Projects Agency (DARPA) to hack cars.

They have hacked a 2010 Ford Escape and a 2010 Toyota Prius. In Augustr, this year they made a presentation at the 21st annual Defcon hacker conference in Las Vegas. Even with diagnostic and reflashing services secured, packets that appear on the vehicle bus during normal operation can still be spoofed by third-party ECUs connected to the bus. Today, a modern automobile leaves the factory containing multiple third-party ECUs, and owners often add aftermarket components (like radios or alarms) to their car’s buses it raises question that which all third-party components we may trust.

Physical access to the car should be required before hacking into it. Someone who can access your car physically such as a mechanic, neighbor, a person who rents a car, a friend, or your family member, with even momentary access to the vehicle, can insert a malicious component into a car’s internal network via the ubiquitous OBD-II port and can then reprogram your cars (ECUs) and then take full control of your car.

There are also new tools, like Viper Smart Security, that use Internet mapping capabilities so owners can track their cars as well as Facebook functions that can be configured to send out instant updates on the car’s activity. This could easily be used to gain access to the passengers, schedule, and routine. The security concern here is not with the automobile itself, but the correlation between tracking and social media that opens the question of consumer privacy.

Based on gathering this information via Facebook updates, the details could be sold or used for other malicious activity against the individual. Car hacking hit the tech mainstream in an ugly way this past June when journalist Michael Hastings, famous for bringing down General Stanley McCrystal with a revealing Rolling Stone profile, was killed in a horrific car crash.

There are some steps the carmakers could make, though, according to Miller, such as isolating CANs and adding a detection-type system on the network to catch any suspicious or unauthorized behavior. It must be essential for automobile manufacturers to provide an external device by which the customer can monitor their CAN bus packets and in the near future there will be an anti-virus software installed in our cars. Every engineer on these projects is aware of those risks, and it wouldn't be a surprise to see automakers implementing bounty programs like those of Google and Facebook to report vulnerabilities before they become public.

At present it’s not a security threat, but security issue. The hope is that by releasing this information, everyone can have an open and informed discussion about this topic.