While you're busy protecting your computer from being hijacked by viruses, Trojan horses, botnets, and other malware, your software-enabled car might be compromised by hackers.
It sounds somewhat science fictionish, but a new white paper from the security company McAfee Inc. (NYSE: MFE) points to some disturbing possibilities.
The paper, "Caution: Malware Ahead," is written by authors from McAfee; Wind River, an Intel Corp. subsidiary specializing in mobile software and embedded software platforms (such as those for automobiles); and Escrypt Inc., which sells security software for embedded systems. It's the first in a series of white papers about security for embedded devices.
Even though it's in these companies' interests to promote their respective products -- and a few scare tactics couldn't hurt -- the increasing use of software in vehicles, including wireless integration via laptops, GPS, and cellular phones, could indeed create security threats.
As the white paper points out:
Automakers distinguish their models through electronics, and the trend of introducing embedded microcontrollers and communication capabilities is on the rise. These embedded devices are used in almost all areas of vehicles, including airbags, the radio, power seats, anti-locking braking system, electronic stability control, autonomous cruise control, communication system, and in-vehicle communication.
Many automakers promote integrated entertainment and communications systems, such as Ford's SYNC, GM's OnStar, and BMW's Assist. Could anyone with even the slightest bit of imagination not think of the possibility of a movie or novel where hackers take control of vehicles that are spewing all sorts of wireless signals -- cellular, WiFi, Bluetooth, GPS -- that could be captured, decoded (if that's even necessary), and controlled?
For example, the white paper cites how researchers from the University of California-San Diego and the University of Washington developed CarShark, a remote control software package, and loaded it on to a laptop that was plugged into a vehicle's diagnostic system. While riding in a car next to the test vehicle, the researchers were able to use another laptop to stop the electronic brakes from working, make them work unevenly, turn off the engine, and falsify the speedometer reading wirelessly.
CarShark also could be used by hackers in concert with decoding Bluetooth PINs. Some external devices, such as headsets, can work with vehicle systems that have Bluetooth, and researchers are examining how to crack the PINs.
Consumers don't have to worry about professors shoving laptops into their cars to turn them into killing machines -- just yet -- but don't think wireless vehicular problems aren't occurring right now.
In Austin, a former collections agent for a car dealer was able to stop more than 100 vehicles from starting and make their horns honk. Oscar Ramos-Lopez accessed the dealership's remote vehicle immobilization system, which was provided by Pay Technologies LLC to disable vehicles whose owners don't make timely loan or lease payments.
Hacking into security systems –- legitimately, to determine computer vulnerabilities -- is part of Kevin Finisterre's business as a security consultant. Finisterre was hired to check out security for an unnamed US police department. He was able to scan the department's IP addresses, use FTP and telnet commands to hack into a Linux device installed in police cars, and view live audio and video feeds of police cars as they cruised around the city. He noted that the transmissions were unencrypted over cellular networks.
Finisterre has published a detailed account of his tests (PDF).
Don't think his efforts are unrelated to consumers. For a few years, automakers have been integrating WiFi/cellular hotspots into vehicles and promoting their use for business. But the more hotspots (with unencrypted signals) you have, the better the chance for hacking.
Also, for several years systems have been available for consumers to start their vehicles remotely, either through dedicated pocket-sized devices or applications on cellular phones. Wireless signals issued by such applications that aren't encrypted could be hacked, and even encrypted signals could be decoded.
And how's this for timeliness? Yesterday, Ford Motor Co. and Bug Labs announced a venture to create OpenXC, an open-source platform for developers to create plug-and-play dashboard modules to expand a vehicle's connectivity and features.
Open-source docking station modules -- what could go wrong?
— Alan Reiter, President, Wireless Internet & Mobile Computing