Last month, a Rolling Stone journalist named Michael Hastings was killed in a traffic accident. There is a lot of chatter among conspiracy theorists that someone, somehow, took control of his vehicle and caused the crash. While the details remain foggy and we may never know what actually caused the accident, it is becoming increasingly clear that our high-tech wheels have become attractive targets for cyber attackers.
According to this article, a $25 tool is all someone needs to compromise the protections on two popular electronic control units (ECUs). The ECUs, which are made by Bosch, monitor and control a car’s acceleration, braking, steering, and other critical systems. The hacking tool takes control of the ECUs by breaking the encryption key that is used to encrypt and authenticate the messages exchanged between the ECU and the car’s many components. Once in, the attacker could force the ECU to send messages that would accelerate or brake the car at inopportune times, causing the driver to lose control.
This is scary, but not surprising. Any system that uses computers to perform its tasks is prone to cyber attack. Any such system operates simply on a strategically modulated sequence of electrical signals. If those electrical signals can be manipulated – and they always can – the system can be hacked and made to do things that weren’t part of the plan.
Automotive systems are becoming much more interconnected with other information systems, and there lies the bigger problem. Take, for example, my Nissan Leaf. One of the Leaf’s features is an app that runs on Apple and Android devices that allows you to monitor the car’s state of charge, turn on its air conditioner or heater, check its fluid levels, and inspect its overall health right from your phone or tablet from wherever you might be. It’s a cool, hey-look kind of feature. But think of the security implications there! The Leaf is not alone, of course. GM’s OnStar and Ford’s SYNC are similar services that allow not only you, but also the car’s manufacturer to monitor and control certain things about the car. These are nifty features, ones that entice buyers with significant convenience and safety benefits. But cyber attackers will find them convenient, too.
This is yet another theater for the epic battle between convenience and security. Anyone want to bet which one wins? To paraphrase Dave Mustaine, “[security] sells, but who’s buying?”