Wired reports that over 100 drivers in Austin, TX found their cars disabled or the horns honking out of control. This happened after an intruder ran amok in a web-based vehicle-immobilization system called Webtech Plus (PDF). Webtech Plus is normally used to get the attention of consumers delinquent in their auto payments. The app is operated by Cleveland-based Pay Technologies system. It allows car dealers to install a black box in the vehicle that responds to commands issued through a central website and relayed over a wireless pager network.
How he got in
Austin police claim the perpetrator was Omar Ramos-Lopez, a former Texas Auto Center employee who was laid-off. The hacker allegedly sought revenge by bricking the cars sold from the Austin-area dealership. Reportedly Mr. Ramos-Lopez’s account was closed when he was terminated but he allegedly got in through another employee’s account. At first, the intruder targeted specific customers. The attacker later moved to access the database of all 1,100 customers whose cars were equipped with the device. It is charged that he went through the database, vandalizing the records, disabling the cars, and setting off the horns.
Cars are targets
The Webtech attack was an external attack but Bob Brammer, CTO, and VP at Northrop Grumman Information Systems (NOC) told GovInfo Security that cars themselves are likely to become targets. Mr. Brammer points out that most cars contain 50 to 100 or more tiny computers. The computers are controlled by over 100 megabytes of code that control the accelerator, brakes, displays, steering, etc. All of these systems can be accessed through a diagnostic port that serves as the vehicles’ USB port. Mr. Brammer cites a study published in an IEEE journal. “It’s possible to take over a car, controlling the brakes, the accelerator, the steering wheel, despite whatever the driver might want to do. Our automobiles are highly vulnerable from a cybersecurity view.”
The paper, Experimental Security Analysis of a Modern Automobile, (PDF) says the potential attack window could widen as more automakers offer vehicle-to-vehicle and vehicle-to-infrastructure communications networks to third-party development, “An attacker who is able to infiltrate almost any electronic control unit can leverage this ability to completely circumvent a broad array of safety-critical systems.” GigaOm cites data from iSuppli that Wi-Fi in automobiles will be integrated into 7.2 million cars by 2017.
The researchers said they took control of a number of the car’s functions and the driver could do nothing about it. They bypassed basic network security protections within the car. They then embedded malicious code in the telematics unit to erase evidence of the hack’s presence after a crash.
More theoretical than practical
Mr. Brammer, for now, sees the threat to cars as more theoretical than practical. But he says it demonstrates that we must think about cyber-security more broadly than we have in the past. “As the trend is to put more IT into everything that we do – whether it’s cars, airplanes, power grids, water supplies, whatever – we have to think about the security aspects of the design. These systems, within reason, have to be able to withstand certain types of attempts to attack or exploit them. That’s a terrible thing have to say, but I think that’s the way world is these day.”
Wi-Fi can give attackers an entry point into critical systems. Professor Stefan Savage of the University of California, San Diego told Technology Review. “In a lot of car architectures, all the computers are interconnected, so that having taken over one component, there’s a substantive risk that you could take over all the rest of them. Once you’re in, you’re in.” This could lead to brakes failing or the steering wheel seizing on scores if not hundreds of cars simultaneously, causing catastrophic crashes.
rb-
Cars have become more computerized. They are linked through Wi-Fi and 3G networks making our daily transportation vulnerable to hackers and cyber-attacks. Cyber-terrorists could target cars to begin the chain of events leading to a Hollywood-style disaster. Hopefully, the Auto manufacturers are going to tighten up the security of our cars. They will delay improving security if safety belts and airbags are examples.
Will the auto industry tighten the security onboard cars?
Will the government have to step in?
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.