Following the accident, U.S. National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, Richard Clarke, made a statement that the crash was “consistent with a car cyber attack. There is reason to believe that intelligence agencies for major powers -- including the United States -- know how to remotely seize control of a car." He went on to say, "You can do some really highly destructive things now, through hacking a car, and it's not that hard. So if there were a cyber attack on the car -- and I'm not saying there was, I think whoever did it would probably get away with it."² This actually wasn't new information though. It has been known that vehicles can be hacked and remotely controlled since 2010, when the University of California at San Diego proved it with a demonstration of their own.³
And now, fast forward to today - about a month after the mysteriously fateful accident. Andy Greenberg of Forbes hops in a car with some DARPA car hackers and gets taken for a ride. Along the way, the DARPA guys mess with his dashboard panel displays, honk his horn, jerk on his seatbelt, and, oh yeah, they cut off his brakes and crank up his accelerator. At one point, Greenberg exclaims that his instinctual reaction at that point is to jump out the window. Naturally however, the controls for the window are no longer his own. His nervous laughter in the face of pressure is an unsettling reminder of how little control he has over his own environment. All giggling aside, his normally comforting bubble of traveling personal space has been hijacked and transformed into what could easily become a speeding death trap on wheels. Luckily for him, in this case, the hacker is riding with him in the back seat and has an incentive to try not to crash the car.
Some might point out the amount of physical labor that seems to have apparently taken place on the dashboard in order to make this hack work and exclaim that such attacks are "highly unlikely." Lest we forget, there are systems in place already that can shut your car down in the middle of driving it. Hasting's car was equipped with an MBRACE system - something similar to OnStar - a system that can be used to shut down a car in the middle of driving it.* Consider - if you can remotely shut off a car with this system, what else can you remotely control, and how hard is it to hack that system? We're talking about a wireless system that is configured to accept an input from a remote source for the purposes of controlling a vehicle - exactly the kind of system a targeted hack could exploit. Bypassing that system altogether by using a physical hack might not necessarily be required, but it certainly provides another avenue by which to hack the vehicle. In all likelihood, hacking only certain systems would require less tinkering under the dash. It would also make sense for a hacker to bother to put the dashboard back on the car if they wanted to take advantage of an unsuspecting victim. Clearly, there was no effort made in this video to camouflage the hacks, but that doesn't mean this kind of hack couldn't be carried out in a more covert fashion.
So at what point are we going to start talking about remote intrusion detection and prevention systems for automobiles? It may be a little early yet for something like "Webroot SecureAnywhere for Cars," but there is a pretty clear need for that sort of thing to exist. However, there are some difficulties. Not all automobiles are created equally. It's a lot of proprietary systems running unstandardized code for proprietary parts. Standardizing a security solution across all of these diverse systems would be a challenging endeavor. Nevertheless, unless automotive companies decide to step up and start locking these systems down a lot tighter, it appears there will continue to be a demonstrated need for a better automotive security solution.
¹http://www.sandiego6.com/story/details-of-reporter-hastings-death-remain-elusive-20130708
²http://www.huffingtonpost.com/2013/06/24/michael-hastings-car-hacked_n_3492339.html
³http://www.autosec.org/pubs/cars-usenixsec2011.pdf
*http://www.theblaze.com/stories/2012/07/18/cant-just-shut-it-off-anywhere-onstar-stops-stolen-camaro-during-police-chase/
What do you think? Is this an issue for automotive manufacturers to address? Do we need laws in place to mandate it? Is this something the private security sector should get involved with? If so, in what way? If not, what's the alternative? Discuss!
