Sign in with
Sign up | Sign in

Senator Wants Cybersecurity Answers from Automakers

By - Source: Tom's Guide US | B 14 comments

A U.S. senator has asked 20 automobile manufacturers how each plans to stave off wireless hacking attempts on vehicle computer systems, as well as prevent violations of driver privacy.

"I write to request information regarding your company's protections against the threat of cyberattacks or unwarranted invasions of privacy related to the integration of wireless, navigation and other technologies into and with automobiles," wrote Sen. Ed Markey, D-Mass, in a letter to Daniel Akerson, CEO of General Motors, on Monday (Dec. 2).

Markey's questions imply that he wants carmakers to apply computer-industry security processes, including implementation of anti-virus software, incident logging, incident-response planning, software vulnerability patching and third-party penetration testing — the last of which would stage real hacker attacks on mass-production vehicles.

MORE: Hacking the Internet of Things

"Today's cars and light trucks contain more than 50 separate electronic control units (ECUs), connected through a controller area network (CAN) or other network," Markey said. "Vehicle functionality, safety and privacy all depend on the functions of these small computers, as well as their ability to communicate with one another."

Identical letters were also sent to the heads of the North American divisions of Aston Martin, Audi, BMW, Chrysler, Ford, Honda, Hyundai, Jaguar Land Rover, Lamborghini, Mazda, Mercedes Benz, Mitsubishi, Nissan, Porsche, Subaru, Tesla, Toyota, Volkswagen and Volvo. (Audi, Lamborghini, Porsche and Volkswagen share ownership.)

Car hacking isn't just in the movies

Markey, one of the half-dozen lawmakers on Capitol Hill who has demonstrated a clear understanding of computer technology, cited research done earlier this year by two Pentagon-funded "white hat" hackers.

"In a recent study that was funded by the Defense Advanced Research Projects Agency (DARPA)," Markey wrote, "Charlie Miller and Chris Valasek demonstrated their ability to directly connect to a vehicle's computer systems, send commands to different ECUs through the CAN and thereby control the engine, brakes, steering and other critical vehicle components."

Car Hacking in the Wild

Miller, whose day job is at Twitter, and Valasek, who works for Seattle security firm IOActive, used the Pentagon's grant money to open up the dashboards, and then take control, of a Toyota Prius and a Ford Escape.

MORE: Hackers Hijack Prius with Mac Laptop

Because the duo plugged laptops into the cars' wiring, the vulnerabilities they found wouldn't be covered by Markey's requests for information, which concern wireless access to vehicle computer systems.

However, because Ford and Toyota dismissed Miller and Valasek's research as unrealistic and unlikely to take place in the real world, it made the companies' responses fair game for Markey's questions.

"Both companies reportedly noted that the researchers directly, rather than wirelessly, accessed the vehicles' computer systems," Markey wrote, "and referred to the need to prevent remote hacking from a wireless device."

As Markey then noted, vehicle hacks have indeed accessed car systems wirelessly. Other hacks have used methods that didn't require digging into dashboards or getting under hoods.

In the past few years, white-hat hackers have started cars using text messages, modified smartphone apps and specially crafted audio CDs. Real criminals have used mechanics' diagnostic tools to steal luxury vehicles.

Tough questions for car makers

Markey's security-related questions ask each manufacturer:

— How many vehicles in its 2013 and 2014 production fleets have wireless access.

— What kind of consumer-accessible vehicle computer systems are present, including Wi-Fi, Bluetooth, smartphone integration, Web browsers, OnStar and similar cellular systems, as well as vehicle-to-vehicle communications.

— Whether the vehicles have been subjected to third-party penetration tests.

— Whether any kind of dedicated security technology is in place.

— What kind of security breaches have already occurred.

— Whether the company has procedures to mitigate incidents and push out software patches.

The senator also asked several privacy-related questions, including how each company collects, stores and distributes information collected by in-car systems relating to driver behavior and history, navigation, location, speed and mileage.

Markey wants to know whether such information is shared with law enforcement, debt-collection agencies or insurance providers, collected by auto dealers or auto-rental companies or sold to third parties.

In a series of questions that affect both security and privacy, Markey asks how many vehicles contain technology, such as General Motors' OnStar, which could remotely shut down a vehicle, and whether customers were made aware of such features.

The senator asks that each company respond to his questions by Jan. 3.

The Auto Alliance, an association of auto manufacturers whose 12 members were all sent Markey letters, issued a pre-emptive statement that "cybersecurity is among the industry's top priorities and the auto industry is working continuously to enhance vehicle security features."

The two-page statement cited the reliability and advantages of in-car computing, as well as cooperation in research and development with other transportation industries, but did not answer Markey's questions.

Car Hacking Presentation at DEF CON 21

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Display 14 Comments.
This thread is closed for comments
  • 0 Hide
    ericburnby , December 5, 2013 6:16 AM
    Complete waste of time and taxpayers money.

    This is the field I work in (automotive control systems). The only reason they could "hack" into cars was because they had physical access to them and completely ripped the interior apart to get to the wiring and modules.

    In the real world there's no way someone is going to wirelessly access your car and make changes to how things operate.

    It would be like claiming you can break into my PC at home through the Internet when I left the Ethernet cable unplugged.
  • 1 Hide
    AndrewJacksonZA , December 5, 2013 6:37 AM
    @ericburnby: Including the bluetooth entertainment stuff? And what about cars that are wifi hotspots (admittedly I don't know of any cars that have wifi hotspots built in?)
  • 0 Hide
    ddpruitt , December 5, 2013 6:38 AM
    I have to agree that this is very unrealistic. Of course you can hack into a car if you took the dash apart. The other hacks use the OBD interface to reflash the firmware, something that's required. This is fairly easy to do because (wait for it) it's mandated by government regulations! Other than reflashing the ECU or changing the firmware on the radio, both of which require physical access, there isn't anything you do to hack a car.
  • 0 Hide
    unksol , December 5, 2013 6:42 AM
    It would be like claiming someone could break into your computer at home that was connected to the internet by WIRELESS. Which they CAN. Was the DARPA study a waste? Yes. Everyone knows you can access a vehicles systems via the CAN bus that's what its there for. That's why automakers dismissed that pointless study.

    You're ignoring wifi, text messaging, remote access, internet access, blue tooth access and smart phone access that are being built into cars. And the level of system access or how far they are tied in. all of those can be hacked wirelessly if not properly secured.

    I suppose you also didn't read the link about hackers being able to unlock, start, and locate a vehicle via GPS with text messages? and what handles those commands? The ECU. which runs code. If you have access to the ECU wirelessly it can and will be hacked.
  • 0 Hide
    Darkk , December 5, 2013 7:37 AM
    Just make sure you don't install McAfee anti-virus in your car otherwise it'll run real slow.
  • 0 Hide
    derekullo , December 5, 2013 8:57 AM
    "I suppose you also didn't read the link about hackers being able to unlock, start, and locate a vehicle via GPS with text messages? and what handles those commands? The ECU. which runs code. If you have access to the ECU wirelessly it can and will be hacked. "

    http://www.technewsdaily.com/7932-high-tech-car-theft.html

    "The thief attached a secret GPS tracker to the vehicle — and then locked it and left it where it was."

    I did read that part lol.
    They are using their own GPS tracking device not the GPS of the car.
    So they would still need physical access to place their own GPS device.


  • 0 Hide
    Hax0r778 , December 5, 2013 10:37 AM
    You don't need physical access to the car....

    http://www.autosec.org/pubs/cars-oakland2010.pdf

    http://www.autosec.org/pubs/cars-usenixsec2011.pdf
  • 0 Hide
    TheSource49 , December 5, 2013 12:51 PM
    The relationship between the private sector and federal government in terms of cyber security will be very interesting to watch over the next few years. I think you would be hard pressed to argue that the government will not have some direction intervention into cyber security programs or at least the auditing of them.

    Best practices in this field are often hard to identify, I would encourage you to read how companies like OPSWAT are advocating the use of multi-scanning and the higher detection rates that accompanies such a method
  • 0 Hide
    TheSource49 , December 5, 2013 12:52 PM
    The relationship between the private sector and federal government in terms of cyber security will be very interesting to watch over the next few years. I think you would be hard pressed to argue that the government will not have some direction intervention into cyber security programs or at least the auditing of them.

    Best practices in this field are often hard to identify, I would encourage you to read how companies like OPSWAT are advocating the use of multi-scanning and the higher detection rates that accompanies such a method
  • 0 Hide
    cicilyqyo412 , December 5, 2013 1:08 PM
    if you need a job try this site JOBS61 (dot)¢øm. Dan does it at home and makes $25.98 hourly just sitting and typing stuff all day...No experience needed too
  • 0 Hide
    f-14 , December 5, 2013 1:54 PM
    ericburnby
    "...It would be like claiming you can break into my PC at home through the Internet when I left the Ethernet cable unplugged."

    including your blue tooth wireless mouth, keyboard or headset or your wireless card? and if it's that laptop with wireless built right into it?

    the study isn't a complete waste it's the start of a measurement metric that will become more important down the road as more wireless access and computer components gets built into automobiles.
    nobody conceived of the idea of having computer parts in automobiles in the 60's and then not even a decade later EFI was introduced and ECM's were becoming standard in the 80's.

    p.s. the wire harness doesn't have to be accessed thru the dash, the whole bundle goes right out the fire wall into the engine, which has no panel protection from underneath and hoods/bonnets on automobiles are easy for any thief to pop open to gain direct access from above.

    plus i'm sure there is always a way for someone to hack into OnStar at the service centers themselves data bases full of names, addresses, phone numbers, gps information. then what do you do?

    common criminals break a window, professionals work as a team and kick in every door as well as come in thru the windows. that's how anonymous works, if you say and think it doesn't happen.
  • 0 Hide
    ericburnby , December 5, 2013 3:27 PM
    To the people who mentioned wireless, let me explain how vehicles are set up.

    CAN bus only one bus and most vehicles have more than one bus depending on what's being controlled. Further, vehicles can have more than one CAN bus. A high speed one dedicated to powertrain (engine, transmission, ABS) and a low speed one for other modules.

    Entertainment & communication functions would have their own bus which would connect to the rest of the vehicle through a gateway which basically passes messages back and forth. In this way, a failure of a general module would not disrupt communications between safety related modules on a different bus. They communicate by passing messages.

    There is no method in place whereby you could alter critical systems (like the engine) via wireless like Bluetooth or cellular EXCEPT for specific functions the automaker has implemented (for example, Onstar being able to turn your engine off if the police request them to). In this case the ECU will look for a specific message to perform the shutdown.

    If automakers made it possible to actually reprogram vehicle modules through wireless or over cellular then I could see a problem. But this is a LONG way off. Programming vehicles is something automakers want dealers to do with the vehicle connected to a stable power supply ( charger) so programming can complete without incident.

    Like I said, I work in this field (designing those very modules used in cars). If you want to know more just ask.
  • 0 Hide
    ddpruitt , December 5, 2013 8:10 PM
    Quote:
    You don't need physical access to the car....

    http://www.autosec.org/pubs/cars-oakland2010.pdf

    http://www.autosec.org/pubs/cars-usenixsec2011.pdf


    Read more than just the abstracts. They needed physical access to the car to affect the drivetrain. All the wireless systems could affect where the convenience features. If you read between the lines you can see they tried to affect the drivetrain but couldn't. On top of that the experiments had some fairly sever flaws in them.
  • 1 Hide
    stefansavage , December 11, 2013 4:18 PM
    Hmm... if you actually read the second autosec paper, you'd find otherwise. I'll quote from it: "To be clear, for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s systems." and then the paper goes on to describe this for several different channels including bluetooth and cellular. The claim that this is not possible is trotted out again and again, but is not backed up by the demonstrations described in this paper. As for the drivetrain comment, they were able to demonstrate turning the engine on and off and turning the brakes on and off. What they did not demonstrate was increasing acceleration. However, I think what is shown is enough to demonstrate safety concern. If there is a question about flaws, you should probably state what they are.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter