Internet-connected vehicles may put hackers in the driver’s seat

By Robbie Webber
A pair of researchers remotely attacked a Jeep Cherokee and disabled the accelerator on the Interstate outside St. Louis to demonstrate that increasingly-wired cars need better security. Although they are sharing their software hack with Chrysler so the company can patch the vulnerabilities, they point out that similar security breaches could be exploited by those who are less committed to safety.
Although connection to the internet is becoming a sought-after feature on cars—allowing drivers to listen to email messages, get weather updates, access favorite music playlists, or let kids watch streaming movies in the back seat—it may also allow hackers a portal into the car’s onboard computer and its controls. The volunteer driver in the experiment outlined in a Wired article found himself coasting and unable to move out of the way while a semi approached from the rear.  The hackers also blasted the air conditioning, kept the washer fluid pouring onto his windshield, and changed his radio station to full-volume hip hop. Safely off the highway and in a parking lot, they disabled the brakes while the driver was parking, sending the car into a ditch.
These tricks were accomplished remotely via a laptop computer, without the driver giving the hackers access to his internet connection. This was all possible because the researchers found a security hole that allowed them access through the Jeep’s entertainment system. And they claim that the Cherokee is simply the easiest to hack, and Chrysler is certainly not the only manufacturer with vulnerabilities.
The same day the article appeared in Wired, Senators Ed Markey and Richard Blumenthal introduced a bill that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure vehicles and protect drivers’ privacy. The bill is a reaction to a Markey survey of carmakers released in February that shows the extent of the security holes in modern vehicles. The senators insist the timing with the Wired article is a coincidence.
The hack in Wired was not the first time that security flaws have been documented. The Center for Automotive Embedded Systems Security—a National Science Foundation-supported collaboration between researchers at the University of California San Diego and the University of Washington—released a paper in 2011 finding similar problems.
As cars become more internet-connected—whether for driving efficiency, personal productivity, or entertainment—security has become a significant concern. Both vehicle owners’ privacy and road safety are dependent on ensuring that hackers cannot break into cars with a bit of malicious code.
Robbie Webber is a Senior Associate at SSTI.