Feeds

McAfee: Cyber thugs will turn your car into Christine

Maybe. One day

High performance access to file storage

Poorly secured embedded systems in next-generation cars create a way in for hackers, according to a new study by McAfee.

Hackers may be able to gain access everything from the locks to car engines and more, according to a report titled Caution: Malware Ahead that looks at the emerging risks in car system security.

McAfee, which partnered with Wind River and ESCRYPT on the report, paints a scenario where hackers might be able to create the hacker-compromised equivalent of the demonically-possessed Plymouth Fury from the Stephen King story Christine or something from The Transformers, perhaps.

Embedded computing devices are increasingly used in cars in areas including airbags; radios; anti-lock braking systems; electronic stability controls; autonomous cruise controls; communication systems; and in-vehicle communication. Researchers have demonstrated that critical safety components of an automobile can be hacked, giving hackers physical access to the vehicle’s electronic components. Other studies have shown how vehicles or their occupants can be tracked.

The car industry is continually adding features and technologies that deliver new applications such as internet access and the ability to further personalise the driving experience. In addition, there's a push to integrate cars with consumer devices such as smartphones and tablets. McAfee's concern is that in the rush to add all these new features security will be treated as an afterthought.

The McAfee study examines risks associated with cybercriminal activity including the possibility of:  

  • remotely unlocking and starting a car via mobile phone;
  • remotely disabling a car;
  • tracking a driver’s location, activities and routines;
  • stealing personal data from a Bluetooth system;
  • disrupting navigation systems; and
  • disabling emergency assistance.

Examples of such attacks actually happening in real life are absent from McAfee's study. A interesting exercise by F-Secure a few years back singularly failed to infect a car via Bluetooth and we've not seen anything since to suggest that this has changed, even with advances in the sophistication of technology that might make such a scenario more feasible.

McAfee is nonetheless adamant that the potential for car-based hacker mischief is all too real.

"As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases," said Stuart McClure, senior vice president and general manager, McAfee. "Many examples of research-based hacks show the potential threats and depth of compromise that expose the consumer. It’s one thing to have your email or laptop compromised but having your car hacked could translate to dire risks to your personal safety."

Depending on your point of view, the study is either aimed at raising awareness or is an attempt to talk up a threat that McAfee and its associates can then sell into.

"The report highlights very real security concerns, and many in the auto industry are already actively designing solutions to address them," said Georg Doll, senior director for automotive solutions at Wind River. "Given the development time for automobiles, the industry is finding it essential to start work now by teaming up with those possessing the right mix of software expertise."

McAfee banged on for many years about the looming threat of malware on mobile devices that has only recently become a real-world problem for some smartphone users. At least the car security report omits the automobile risk equivalent of the financial cost of mobile malware guesstimates that were a regular feature of its late '90s mobile threat reports.

Some of the more tin-foil-hat-wearing sections of the Reg readership may see the report as evidence why we should all move back to wholly mechanical cars, preferably models that rely on double de-clutching to change gear. Many would regard that as a step too far.

The McAfee study naturally concentrates on hacker-based threats without tackling the more immediate problem of what happens when those embedded devices go wrong without external interference. In such cases cars can subject occupants to white-knuckle high-speed rollercoaster rides that leave drivers powerless to brake or decelerate, as chilling tales from our occasional RoTM columns graphically illustrate (here, here and here).

There's also no mention of the perils of slavishly following SatNav instructions or near-death blunders involving GPS-based location kit, a serious omission we hope will be addressed in future editions of the report. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.