Feeds

McAfee: Cyber thugs will turn your car into Christine

Maybe. One day

Using blade systems to cut costs and sharpen efficiencies

Poorly secured embedded systems in next-generation cars create a way in for hackers, according to a new study by McAfee.

Hackers may be able to gain access everything from the locks to car engines and more, according to a report titled Caution: Malware Ahead that looks at the emerging risks in car system security.

McAfee, which partnered with Wind River and ESCRYPT on the report, paints a scenario where hackers might be able to create the hacker-compromised equivalent of the demonically-possessed Plymouth Fury from the Stephen King story Christine or something from The Transformers, perhaps.

Embedded computing devices are increasingly used in cars in areas including airbags; radios; anti-lock braking systems; electronic stability controls; autonomous cruise controls; communication systems; and in-vehicle communication. Researchers have demonstrated that critical safety components of an automobile can be hacked, giving hackers physical access to the vehicle’s electronic components. Other studies have shown how vehicles or their occupants can be tracked.

The car industry is continually adding features and technologies that deliver new applications such as internet access and the ability to further personalise the driving experience. In addition, there's a push to integrate cars with consumer devices such as smartphones and tablets. McAfee's concern is that in the rush to add all these new features security will be treated as an afterthought.

The McAfee study examines risks associated with cybercriminal activity including the possibility of:  

  • remotely unlocking and starting a car via mobile phone;
  • remotely disabling a car;
  • tracking a driver’s location, activities and routines;
  • stealing personal data from a Bluetooth system;
  • disrupting navigation systems; and
  • disabling emergency assistance.

Examples of such attacks actually happening in real life are absent from McAfee's study. A interesting exercise by F-Secure a few years back singularly failed to infect a car via Bluetooth and we've not seen anything since to suggest that this has changed, even with advances in the sophistication of technology that might make such a scenario more feasible.

McAfee is nonetheless adamant that the potential for car-based hacker mischief is all too real.

"As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases," said Stuart McClure, senior vice president and general manager, McAfee. "Many examples of research-based hacks show the potential threats and depth of compromise that expose the consumer. It’s one thing to have your email or laptop compromised but having your car hacked could translate to dire risks to your personal safety."

Depending on your point of view, the study is either aimed at raising awareness or is an attempt to talk up a threat that McAfee and its associates can then sell into.

"The report highlights very real security concerns, and many in the auto industry are already actively designing solutions to address them," said Georg Doll, senior director for automotive solutions at Wind River. "Given the development time for automobiles, the industry is finding it essential to start work now by teaming up with those possessing the right mix of software expertise."

McAfee banged on for many years about the looming threat of malware on mobile devices that has only recently become a real-world problem for some smartphone users. At least the car security report omits the automobile risk equivalent of the financial cost of mobile malware guesstimates that were a regular feature of its late '90s mobile threat reports.

Some of the more tin-foil-hat-wearing sections of the Reg readership may see the report as evidence why we should all move back to wholly mechanical cars, preferably models that rely on double de-clutching to change gear. Many would regard that as a step too far.

The McAfee study naturally concentrates on hacker-based threats without tackling the more immediate problem of what happens when those embedded devices go wrong without external interference. In such cases cars can subject occupants to white-knuckle high-speed rollercoaster rides that leave drivers powerless to brake or decelerate, as chilling tales from our occasional RoTM columns graphically illustrate (here, here and here).

There's also no mention of the perils of slavishly following SatNav instructions or near-death blunders involving GPS-based location kit, a serious omission we hope will be addressed in future editions of the report. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.