Who’s Driving That Car?

Remote hacking is a growing problem, and it’s not just confined to one car company.

popularity

In my May blog, I had written a short on the incident where supposedly, airliner’s computer system had been compromised by a wayward security researcher from One World Labs. Chris Roberts was his name. Anyway, if you didn’t read about it, the long and short of it is that he hacked a simulator and not a jet. Nevertheless, the issues that raises have implications across the entire transportation infrastructure.

In that same vein, it was just publicized that hackers managed to hijack some vehicle software and were able to, remotely, control the steering, brakes, and horn from a laptop. They also were able to change the speedometer, switch the headlights on and off, and adjust the seatbelts…even honk the horn.

It turns out the hackers used a wireless connection (a security hole in the Sprint cellular connection to the UConnect infotainment system) linked to the car’s electronics, Charlie Miller and Chris Valasek, were the security engineers; the vehicles they hacked were a Toyota Prius and Ford Escape.

And, this wasn’t the first remote hack. There also was a report claiming that nearly all new cars are hackable, which led to a lawsuit against GM, Ford and Toyota for “dangerous defects in their hackable cars.”

This particular project was funded by a grant from the U.S. Defense Advanced Research Projects Agency to highlight the security risks affecting modern-day cars. Well, at least it was done in the right light.

It was a pretty easy accomplishment. But is it really a surprise? Those of us on the bleeding edge of security have known for quite a while that the automotive industry is way, way behind other industries in security. They are finally coming around, but not fast enough. At least, not for Senators Ed Markey and Richard Blumenthal, who plan to introduce legislation that’s designed to require cars sold in the U.S. to meet certain standards of protection against digital attacks and improve privacy.

This legislation, is aptly named the “Security and Privacy in Your Car (SPY Car) Act.” It outlines policies and procedures for cybersecurity standards intended to prevent hacking vehicle control systems. It also addresses privacy standards, with regard to data collected by vehicles. The senators also want the NHTSA and the FTC to establish a “cyber dashboard” that displays an evaluation of how well each automobile protects the security and privacy of vehicle owners.

“Drivers shouldn’t have to choose between being connected and being protected,” said Markey. There need to be clearly defined rules in vehicular security to protect cars from hackers and people from data compromises. This legislation is written to set minimum standards and transparency rules to protect both the data, and the privacy of drivers as they become increasingly connected. And they aren’t even looking to the IoE.

C’mon you automotive guys, get with the program. I know the industry is making progress, but it’s having a hard time realizing the gravity of what happens with weak vehicular security. I understand there are government agencies like the NTSB the NHTSA, and others involved, but this deals with data and security, not automotive technology, per se. It seems like it is going to take an act of Congress to get them on board.

If one extrapolates this, and assuming there is continued dragging of the heels, with a bit of imagination, there could be millions of malfeasants sitting around in parking lots, with all kinds of hacking gear (most of which can be found on Ebay), playing demolition derby!