More than 100 Texas drivers could have been excused for thinking that they had really horrendous luck or -- at least for the more superstitious among them -- that their vehicles were possessed by an evil spirit. That's because in 2010, more than 100 customers of a dealership called Texas Auto Center found their efforts to start their cars fruitless, and even worse, their car alarms blared ceaselessly, stopped only when the batteries were removed from the vehicles [source: Shaer].
What seemed to some to be a rash of coincidence and mechanical failure turned out to be the work of a disgruntled employee-turned-hacker. Omar Ramos-Lopez, who had been laid off by the Texas Auto Center, decided to exact some revenge on his former Austin, Texas employer by hacking into the company's Web-based vehicle immobilization system, typically used to disable the cars of folks who had stopped making mandatory payments [source: Shaer]. Besides creating plenty of mayhem and generating a flood of angry customer complaints, Ramos-Lopez, who was eventually arrested, highlighted some of the vulnerabilities of our increasingly computer-dependent vehicles from a skilled and motivated hacker.
Although Ramos-Lopez's attack generated a lot of attention, his hacking was fairly tame compared to the possibilities exposed by analysts at a number of different universities. Indeed, in 2010 researchers from the University of Washington and the University of California at San Diego proved that they could hack into the computer systems that control vehicles and remotely have power over everything from the brakes to the heat to the radio [source: Clayton]. Researchers from Rutgers University and the University of South Carolina also demonstrated the possibility of hijacking the wireless signals sent out by a car's tire pressure monitoring system, enabling hackers to monitor the movements of a vehicle.
Taken together, these events show that cars are increasingly vulnerable to the sort of viruses (also known as malware) introduced by hackers that routinely bedevil, frustrate and harm PC users everywhere. Obviously, this has real implications for drivers, although the researchers themselves point out that hackers have not yet victimized many people. But the ramifications are clear.
"If your car is infected, then anything that the infected computer is responsible for is infected. So, if the computer controls the windows and locks, then the virus or malicious code can control the windows and locks," says Damon Petraglia, who is director of forensic and information security services at Chartstone Consulting and has trained law enforcement officers in computer forensics. "Same goes for steering and braking."
Read ahead to find out why more technologically advanced cars are more at risk.
More Gadgets Equals More Vulnerability
Any mechanic who came of age in the 1960s and 1970s will tell you that cars today are unlike anything they learned to work on, so chock full of computers that they seem more the realm of an IT geek than a grease monkey. And it certainly is true that modern vehicles have plenty of computers, although by and large they're not exactly like PCs. "Cars have much simpler processors than a home computer and are designed to do simple, dedicated tasks," says Cameron Camp, a researcher at ESET, a technology security company.
Indeed, most cars today have numerous so-called "embedded systems," which are small computers controlling very specific aspects of the car's functioning, such as air bag deployment, cruise control, anti-lock braking systems and power seating. While these embedded systems share the same architecture as a PC -- they utilize hardware, software, memory and a processor -- they are more akin to a smartphone in sophistication than a laptop. Automotive computers have been more or less immune to hackers and viruses because, unlike PCs, there have been few ways for outside computers or people to connect with vehicle computers.
In general, introducing a virus required physical control of the car. "In the past this would have been difficult as the only way to access a car's computer was through the use of a manufacturer's diagnostic or reprogramming equipment," says Robert Hills, senior education program manager at the Universal Technical Institute, which specializes in technical education and training for the automotive industry. In other words, it would require a mechanic introducing a virus through the computer or software used to diagnose a problem with the car.
According to Aryeh Goretsky, another researcher at ESET, it's also expensive to develop viruses for many cars because there's a lack of hardware, software and protocol standardization. "That would make it difficult for an attacker to target more than a few makes and models of an automobile at a time," he says.
But vulnerability to hacking and viruses grows as car computers become more connected to the outside world. "As more and more cars are getting interfaces with Internet sites such as Pandora and even Facebook, cars get two-way communication and are therefore by definition more vulnerable," says Cas Mollien, an information and communication technology strategist with Bazic Blue. With more entertainment and communication devices -- including MP3 and iPod adapters and USB ports -- come more channels for viruses to potentially enter a car.
Click ahead to discover why more and more benefits from automotive computers mean even more danger.
A Glimpse into the Not Too Distant Future
Cas Mollien of Bazic Blue says that the advent of communication and entertainment devices is not yet a big problem. "As long as the multimedia interface is separated from the car's control computers, the worst that could happen is a malfunction of the multimedia equipment," he says. "However, as soon as these two components are connected, the door is wide open and it is only a matter of time for a smart hacker to find a way to cross over. Then we will have a problem."
That problem could quickly spread, literally, as the ability of car computers to communicate with one another improves. "Manufacturers are working on that and future vehicles will likely have the ability to share information about safety, traffic situations ahead and more," says Robert Hills of the Universal Technical Institute.
Not surprisingly, automakers are said to be working on ways to prevent hackers from introducing viruses into cars and otherwise making mischief, although details of their efforts are not readily available. Still, opinions are mixed about how much of a concern this really is for future drivers. Petraglia of Chartstone Consulting says the time to start planning is now, since it will allow for preventative measures to be implemented before the problem is pervasive.
But ESET researcher Goretsky isn't losing any sleep about it. "We always have to worry about risks everyday, whether it's using a computer or driving a car," he says. "The potential risk of a computer virus on an automobile would certainly not prevent me from buying one."
- Camp, Cameron. Researcher at ESET, a technology security company. Personal correspondence. Sept. 15, 2011.
- Clayton, Mark. "Scientists hack into cars' computers -- control brakes, engine." The Christian Science Monitor. Aug. 13, 2010. (Sept. 12, 2011). http://www.csmonitor.com/USA/2010/0813/Scientists-hack-into-cars-computers-control-brakes-engine
- Goretsky, Aryeh. Researcher at ESET, a technology security company. Personal correspondence. Sept. 15, 2011.
- Hills, Robert. Senior education program manager at Universal Technical Institute. Personal correspondence. Sept. 16, 2011.
- Mills, Elinor. "Hacking a car (Q&A)." CNET. May 14, 2010. (Sept. 13, 2011). http://news.cnet.com/8301-27080_3-20005047-245.html
- Mollien, Cas. Information and communication technology strategist at Bazic Blue. Personal correspondence. Sept. 14, 2011.
- Petraglia, Damon. Director of forensic and information security services at Chartstone Consulting. Personal correspondence. Sept. 13, 2011.
- Shaer, Matthew. "Disgruntled hacker remotely disables 100 cars." The Christian Science Monitor. March 18, 2010. (Sept. 13, 2011) http://www.csmonitor.com/Innovation/Horizons/2010/0318/Disgruntled-hacker-remotely-disables-100-cars