One hundred car owners got an abrupt wake-up call last year when a disgruntled former dealership employee in Austin, Texas, used an Internet-based vehicle immobilization system to reach out and touch their lives.
Electronic boxes installed by the used-car dealer receive a signal through a pager system. The horn honks, for example, when a payment is due. If payments are delinquent, the ignition is disabled.
Working from his home, moving alphabetically down a list of unsuspecting -- and paid up -- customers, the fired employee remotely set off car horns and disabled engines.
The damage that can be done by a few malicious keystrokes grows as cars become rolling high-tech showcases. Like any vandalism or theft, any physical damage due to car hacking is covered by your comprehensive car insurance, but that doesn’t reduce the creepiness of corporate monitoring, the tedium of repairing a stolen identity, or the nagging fear that your safety has been compromised.
A recently released report from the computer security company McAfee pulled together research done by several universities to evaluate the potential security threats to a cars' electrical components, which can be found in everything from radios to anti-lock brakes to electronic stability control systems to infotainment systems.
The threat to your car and your privacy is real, the studies find.
"It's not just theoretical. Attacks can take place," says Tim Fulkerson, senior director of marketing for McAfee Embedded Security.
Even the auto industry agrees. The subject has "kind of been lurking under the radar," says Peter Byk, an engineering specialist in the SAE International ground vehicle standards group, which formed a committee this spring to begin discussing safety and privacy concerns.
Don’t get out your tinfoil hat -- yet
The McAfee report looked at the potential for cybercriminals to track a driver's location, steal personal data from Bluetooth, disrupt navigation systems, disable emergency assistance systems and to unlock cars and start them remotely using cell phones.
So far the potential risks uncovered by researchers haven't translated into major problems in real life.
"We're not aware that anything like this is happening in the real world," says Russ Rader, spokesperson for the Highway Loss Data Institute. "There's no indication that theft claims are going up as electronic systems proliferate; theft claim frequency is going down."
The National Insurance Crime Bureau also has not received reports of vehicles being hacked, says spokesperson Frank Scafidi. "People should not be losing sleep over the report."
At the same time, he acknowledges "there is no such thing as a totally secure system."
Fulkerson says the goal of the McAfee report is to raise consumer awareness of the potential security threats. In addition, as more electronic bells and whistles are added to vehicles, the potential for problems rise.
Even something as simple as an MP3 player that is plugged into your car's stereo system should have antivirus protection, Fulkerson says.
Driving distraction and risk? We asked for it
Virtually every automaker offers some sort of onboard connectivity as mobile technology develops to meet consumer desires and needs. But what are the ramifications of being connected while behind the wheel ?
We already know that drivers’ insistence on seamless connectivity with the outside world creates huge safety issues of its own. (See “The mixed message on cell phone use.”)
It’s clear that drivers are willing to give up some of their privacy as well. For navigation to work, the computer has to know where you are. For “phone home” to dial correctly, your contacts need to be accessible. Data goes out, data comes in.
More than 6 million drivers in the U.S. use General Motors’ OnStar telematics system to ask for directions, access e-mail, get weather reports and ask for emergency services. Its GPS functionality also allows authorities to track a stolen car.
(They’ll trade their information for cheaper car insurance rates as well. An OnStar subscription is a key component to State Farm’s In-Drive program, which tracks driver behaviors and mileage and rewards low-risk drivers with discounts up to 50 percent.)
In a telling indicator of the kind of pressures the marketplace will witness in coming years, OnStar recently backed off proposed changes to its privacy policy that would have maintained its data connection to customers’ cars even after they ended their $199-a-year subscriptions. Before customers challenged the decision, OnStar had planned to keep the pipeline open and reserve the right to sell data gathered -- aggregated and without private information attached, of course.
Could a hacker crash your car?
Research funded by the U.S. National Science Foundation and conducted by the University of California San Diego and the University of Washington found that a cybercriminal with a laptop could access the internal network of two 2009 autos "to take over a broad array of safety-critical computer systems."
The research found, for example, that brakes could be disengaged while the car was in motion, making it nearly impossible to stop; or activated, forcing a sudden stop.
Another study, by Rutgers University and the University of South Carolina, found that radio frequency identification (RFID) tags, designed to keep track of vehicle tire pressure, can be used to track a vehicle and can pose a threat to passenger privacy if a cybercriminal uses a powerful long-distance reader.
Perhaps worse, the threats aren’t necessarily all linked to the car. A Facebook password stored in the car’s electronics systems, allowing updates on the fly, could tip off a stalker or burglar if he or she gained access to it.
As the number of electrical components in cars increases each year, it creates an increasing number of avenues for potential hackers to breach auto security, Byk says.
For example, the idea of someone potentially using RFID tags in a malicious manner "probably wasn't even considered" by automotive engineers, Byk says.
Protecting a moving target
Andre Weimerskirch, chief executive officer of ESCRYPT Inc., one of the partners in the McAfee study, says components must be protected so any potential attacker "needs to get through a security wall."
Weimerskirch says he's seen an increase in concern by auto manufacturers in the past couple of years, as they try to "anticipate risks and want to mitigate them."
The committee formed by SAE International members this year is discussing things such as testing and design standards for embedded electronic devices, Byk says, and plans to come up with strategies to identify and prevent potential security breaches.
Another topic will be how to mitigate the potential harm if a security breach occurs.
But hacking into an auto isn't a simple task. "It requires a certain amount of technical know-how to execute," he says. Cybercriminals not only need to have strong computer skills, they also have to be good at hacking.