"Carhacking" could replace carjacking as vehicles go high-tech
Everyone's heard of carjacking, the threat that someone may steal your vehicle while you're at the wheel. But could the bigger threat actually come from "carhackers"?
A new study by cybersecurity firm FireEye shows how today's car can be the data entry port for all sorts of threats, from a simple security breach that gives away your personal information to a remotely engineered theft that puts your auto on a collision course with every other vehicle on the interstate.
If this sounds futuristic, consider how far the automobile has come from the era of the stick shift to the driverless cars now being tested on the open road. "Today's average car has around 70 electronic control units," said the FireEye study, "and is comparable to a modern computer with local and wide area networks and file storage."
Malicious software is sure to follow this technology, just as it has leaked into every other computer system. No company and no one is immune, as Facebook (FB) founder Mark Zuckerberg found recently when his Twitter account was hacked. Automotive technology is in many instances much simpler to penetrate -- so simple that this writer witnessed a two-year-old who picked up a key fob and accidentally started the car.
For hackers, the process is even easier. Fiat Chrysler recalled 1.4 million Jeeps in 2015 after two computer hackers using Wi-Fi were able to manipulate the vehicle's radio and take over the steering and brakes. This hack went viral because it was a Wired reporter that had control taken away from him.
The same thing happened to 60 Minutes reporter Lesley Stahl, this time in a demonstration by the U.S. Defense Advanced Research Projects Agency (DARPA), which is trying to protect its drones against a similar technological threat.
Among the computer systems in your car that are, or will be, vulnerable are the vehicle-to-vehicle communications, which are now used for secure parking and lane-changing, according to FireEye. Collision-detection systems that use sensors to prevent an imminent crash could be spoofed to create one. Tire pressure monitoring could be reversed to flatten tires and disable a targeted vehicle in a desolate spot.
Much of the FireEye report reads like a Stephen King novel. The diagnostic port under the wheel could be "infected" by a malicious mechanic. And, since many motorists now give insurers and carmakers access to that port on a regular basis, that information could be accessed either at the vehicle or by hacking into the telematics that your car sends to the insurer, providing access to vehicle identification, location, driver's license information and mobile phone contacts.
That means a thief could not only find out where you're going, but where you live, and possibly when your home is likely to be unoccupied.
By using a phony keyless entry, a thief could take your car and hold it for ransom, or alternatively extort money by threatening to put your personal information on the Internet. By making car companies vulnerable to lawsuits by angry car owners, thieves could also try to blackmail the industry. Some "ransomware" hackers, as they are called, have even extorted money from sheriffs' departments.
Like all hacking threats, this one may be real or it may not. Or, as computer engineers joke, you may just not be aware of it yet. FireEye's purpose in publishing the study is to promote its "Red Team," which forecasts and evaluates threats and tries to prevent them. It admits that many of these doomsday scenarios may not be high priority.
But as more Star Wars paraphernalia continues to be loaded into your car, you may someday hear a strange voice on your Bluetooth saying: "Resistance is futile."
So fasten your seatbelt -- if you can. Your car's computers could take you for a bumpy ride.