The dream of autonomous vehicles is obviously alluring: Summon a driverless car with an app, hop into it a few minutes later, and settle in with a book or movie, or simply take a nap while it takes you anywhere you want to go — the next town, a nearby city, or a few states away.
But don’t hold your breath — it’s going to be a while. A recent project by a group of ethical hackers eliminates any doubts about that. Without breaking even a virtual sweat they were able to exploit vulnerabilities in 16 vehicle brands to control multiple functions remotely, including locking and unlocking, and starting or stopping the engine. Other vulnerabilities allowed them to access customer or employee personally identifiable information, to lock users out of remotely managing their vehicle and even to change ownership.
There’s more — lots more detail in the blog post written by the group’s leader Sam Curry, staff security engineer at Yuga Labs and self-described hacker and bug bounty hunter — but you get the idea. Computerized vehicles, while they offer conveniences and multiple safety features, remain a vulnerable attack surface. As the hacker group demonstrated, if the dream of fully autonomous cars came true now, it would be more of a nightmare.
This doesn’t mean it will always be this way. Vehicle security is slowly improving. But it’s not ready for prime time yet.
This should not be a major surprise. Nothing made by humans is perfect. That includes software, which runs just about everything from entertainment to communication, critical infrastructure, and yes, vehicles.
Modern vehicles are already semi-autonomous. Many experts refer to them as “smartphones on wheels,” and they’re not really joking. As TV ads relentlessly tell us, they come with adaptive cruise control, GPS, backup cameras, side-mirror cameras, accident avoidance, and “lane assist,” which was a major irritant when I drove a rental last year.
Indeed, as multiple experts have noted, a Dreamliner jet has about 6.5 million lines of code, while a Ford pickup has almost 20 times that — 130 million. That truck also has about 100 different chips, more than two miles of cable and 10 operating systems. That’s catnip to hackers, both ethical and malicious.
Make more things honk
The hacking group on this project — Curry and six friends — got interested in the possibilities when they were visiting the University of Maryland. They “came across a fleet of electric scooters scattered across the campus and couldn’t resist poking at the scooter’s mobile app. To our surprise, our actions caused the horns and headlights on all the scooters to turn on and stay on for 15 minutes straight,” Curry wrote.
That piqued their interest in “trying to find more ways to make more things honk.” And after brainstorming a bit they realized that “nearly every automobile manufactured in the last five years had nearly identical functionality. If an attacker were able to find vulnerabilities in the API [application programming interface] endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely.”
Exciting for them. Impressive to other security researchers — Travis Biehn, technical strategist with the Synopsys Software Integrity Group and a vehicle security expert called it “great work.”
But also alarming. The brands they hacked ranged from mainstream to luxury: Ford, Kia, Honda, Nissan, Mercedes, Acura, Hyundai, BMW, Rolls Royce, Toyota, Porsche, Jaguar, Land Rover, Ferrari, and Genesis. The list also included telematics companies like SiriusXM and Spireon, owner of the OnStar vehicle assistance service and a provider of GPS services for consumer vehicles.
“It’s enough to make you want to buy a car that is not internet-connected. Unfortunately, that seems to be impossible,” wrote Bruce Schneier, chief of security architecture at Inrupt and a self-described public interest technologist on his blog.
One of Schneier’s readers, Clive Robinson, linked to a BBC story about thieves needing only about a minute to steal a Range Rover Sport worth more than $100,000 from a couple in the U.K., without access to a key. Police found it a month later, wedged inside a shipping container on a vessel bound for Africa.
“While the police do not say it outright, they know that all these electronics being added to cars makes them easier to steal, not harder,” Robinson wrote.
Indeed, Curry reported that the vulnerabilities in Spireon’s telematics could have given them full administrative access to about 15.5 million vehicles as well as update device firmware.
“This would’ve allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles,” he wrote.
Not a new problem
Stories about the vulnerabilities of connected cars aren’t new either. They’ve been a featured topic at just about every major security conference for at least a decade.
Andrea Palanca, a hacking researcher and member of a team that in 2017 demonstrated the viability of an attack on vehicle control systems through a vulnerability in the Controller Area Network (CAN) Bus standard, said at the time that the biggest barrier to improvement is that it is difficult to patch known vulnerabilities in the code for computers and sensors that control everything from infotainment to safety systems like steering, acceleration, and brakes.
Palanca couldn’t be reached for comment on this story. But in 2019 he said that not only are those devices produced by a global supply chain diverse enough to make anyone’s head spin, but they are also embedded in products that are in use for 7 to 10 years — considerably longer than other electronic consumer devices.
And given that a majority of the existing fleet is probably more than four years old, many of them were not designed for remote, or over-the-air (OTA), patching.
However, while all this may sound ominous — because it is — the news is not all bad. First, these hacks weren’t as potentially damaging as some earlier ones. The most infamous was conducted in 2015 by ethical hackers Charlie Miller and Chris Valasek, who remotely took over the controls of a Jeep Cherokee while a reporter was at the wheel. If they had intended to hurt or kill the driver, they probably could have done it.
Curry told The Security Ledger’s Paul Roberts in an email that his group wasn’t able to send commands remotely to the vehicles. “We were limited to the manufacturer functionality like starting the vehicle, unlocking it, tracking it, and opening the trunk,” he wrote.
But then, simply having the ability to start the vehicle remotely could be lethal, he noted, since starting a car in a closed garage could cause carbon monoxide to spread through the interior of a home.
But Biehn noted that if hackers “have the resources to kill you through your autonomous vehicle, they can dispatch someone to rub poison all over your underwear more cheaply.”
He said what is far more likely is that if vehicle security doesn’t improve, “people will be impacted by car ransomware, car spyware, or car crypto-mining ware.”
Cooperation—what a concept
What’s also encouraging is that the vulnerabilities the group found have been fixed. Curry and his group notified the companies of the vulnerabilities before making them public and the companies, in most cases, were quick to patch them.
In an email response to me, Curry wrote that “Every company we reported vulnerabilities to responded and had the issues fixed within one or two days. Many of them hopped into Zoom calls to better understand everything and asked us to help validate fixes.”
This, said Chris Clark, automotive software and security solutions architect at Synopsys, is an example of how “responsible disclosure” is supposed to work.
“The automotive industry is taking security seriously, and this is one of the activities that is visible to those outside the industry,” he said. “It also shows that OEMs and Tier 1s are leveraging existing standards in order to get better control of their supply chain and software development cycles.”
Clark, who recently returned from the Consumer Electronics Show in Las Vegas that featured a host of internet-connected vehicles, said he is confident that “autonomy will be a reality — a safe one. It will take better-developed software, algorithms, and computational power.”
“The industry must ensure that the ability to exploit a vulnerability comes at an extremely high cost to the attacker and that well-designed functional safety measures can take over in the event of a compromise,” he said. “But thankfully, companies are flocking to address this issue.”
Biehn said one of the ways to maintain an acceptable level of security will be to make it so you don’t have to take your car to the dealer to get a vulnerability fixed. “Automotive manufacturers have to make OTA updates easy, so there’s no period of time when there’s a cheap, easy, known method to kill you with your autonomous vehicle,” he said.
Curry is also optimistic, although cautiously so. “It’s really hard to predict the future, but I think eventually the benefits will outweigh the risks and self-driving cars will be something that is safe and available.”
But in the interim, while hacking vehicles remains alarmingly easy for skilled hackers, what should the owners of modern vehicles do? Simply disconnecting some of the telematics, as blog commenters have suggested, is unlikely to work for any but the most tech-savvy.
“Removing these systems from your car can be super difficult because of how codependent they are with each other,” Curry said. ”And buying a disconnected car made within the last five years is nearly impossible.”
“For the everyday person, making sure your account has a unique password and you employ two-factor authentication is your best bet. Many of these systems are ‘opt in’ where you purchase a subscription at a dealership, so making sure to decline is a good idea.”
“Also, if you’ve bought a used car, it’s worth it to take it to a dealership and make sure the previous owner doesn’t have access to any of the systems.”
