Why you don’t have to worry about your connected car being hacked

For those of who are concerned about automotive cyber security, there is no need to worry about your car being taken over by hackers, yet. It is still difficult for cars to be hacked. Industry analysts note that hacking is very expensive and that only white hat hackers, media and universities have the ability to hack your car, today. The automotive industry also has the tools to make their car systems more secure.

Security Options Exist

In the video AUTO Connected Car News shot at International CES, Argus Cyber Security stopped a web attack on an in-car infotainment system using Android 4.3.  Senior software engineer, Nizzan Kruvi shows how a web spoof  invasion of the head unit with malicious code is thwarted by Argus Cyber Security IPS.

Argus Cyber Security is a hardware and software solution with a Intrusion Prevention System (IPS) that prevents hacking while it’s happening. The software generates reports and alerts for remote monitoring.

The company claims that it could have stopped the Defense Advanced Research Projects Agency’s (DARPA’s) car-takeover demonstration on 60 Minutes that showed Lesley Stahl unable to control a masked car that looked a lot like a Chevy Impala.

In order for Argus Cyber Security to spoof the head unit, the web browser had to go to a website URL that had malicious code in it. Although hacking looks easy in videos, it is very difficult to accomplish.

In order for the DARPA, to get access to the car they needed the OnStar phone number and a way to identify the vehicle such as the OnStar account information, something most criminals could not get easily.

Car Hacking Takes a Long Time and is Expensive

Before Lesley Stahl’s car hijacking on 60 Minutes, hackers Charlie Miller and Chris Valesek, hacked into various cars and appear in dark-lit videos to scare drivers around the world. Their attacks often involved removing the dash-board and connecting directly into the vehicle’s computer systems, an expensive and timely proposition.

millertweetCharlie Miller Tweeted that he “bricked”  he head unit of a Jeep Cherokee. He had to pay an expensive repair bill before he could hack it some more. Miller continues to live-Tweet his car hacking adventures.

Valesek said at the Connected Car Expo that he thought hacking cars was fun. Both Miller and Valesek are on the board of IO Active, a security firm that now has an automotive practice to deliver cyber security strategies and risk mitigation for automakers and Original Equipment Manufacturers (OEMs). IOActive has also invested in a garage designed for researching vehicle and transportation security.

Before you worry about your cars security, you should know that Valesek stated that is very expensive to hack cars. In the case of DARPA, they have been working on it for years.

According to various industry sources there are no known instances automotive cyber attacks in the public.

Don’t Worry it Can be Fixed

onstarsosWe contacted Strategy Analytics’ analyst, Roger Lanctot to see if GM OnStar car owners should be concerned about the DARPA 60 Minutes hack.

Lanctot noted that it is the first time he has a seen a car hacked without removal of components in the car and soldering components to the hardware. The car was obvious to car industry professionals to be a  thinly disguised GM car, showing that GM cars with OnStar are more vulnerable than suspected.

In previous hacking announcements, such as when Argus Cyber Security found a vulnerability in Zubie, both companies worked together to release news of a fix at the same time. In this case, Lanctot says the situation is embarrassing for GM, because there has been no indication of a correction of the vulnerability, such as the case when a UC Sand Diego team hacked OnStar, five years ago.

Lanctot says that GM has the advanced technology to send out an over-the-update to fix the problem when it is available. GM car owners should not be concerned.

“If you are a GM car owner, you should not be worried. The only criminals hacking cars are media, universities and ethical white hat hackers to call attention to the problem,” said Lanctot who believes that OnStar is 18 years ahead of the industry with services such as ability to enable the remote slowdown and immobilize of one of its cars in the event of a theft.

Lanctot also said that Daimler’s Mercedes-Benz embedded modems have security provided by Verizon Telematics.

Fox News reported that the car seen on 60 Minutes was a 2009 Impala running an older version of OnStar, according to GM spokeswoman Deana Alicia. GM isn’t sure if the software was modified by DARPA in any way.

GM partnered with DARPA on the five-year project that led to the hack. GM spokeswoman Renee Rashid-Merem says it has helped the automaker to “better understand how hackers may look at vehicles and how to improve hardware and software designs for current and future vehicles.”

Rashid-Merem stated that OnStar has a solution to vulnerability uncovered by DARPA  but could not confirm if an update to the software has been implemented. She stated newer versions of OnStar systems are not at risk to the same type of attack and GM has no knowledge of successful intrusions of its vehicles outside of a research environment.

Recently, BMW beefed up security to fix a “problem” with BMW ConnectedDrive systems and the SIM card.

Another new way to prevent cars from starting or being driven by the wrong person is to use biometric authentication of the eyes.