Feeds

McAfee: Cyber thugs will turn your car into Christine

Maybe. One day

Choosing a cloud hosting partner with confidence

Poorly secured embedded systems in next-generation cars create a way in for hackers, according to a new study by McAfee.

Hackers may be able to gain access everything from the locks to car engines and more, according to a report titled Caution: Malware Ahead that looks at the emerging risks in car system security.

McAfee, which partnered with Wind River and ESCRYPT on the report, paints a scenario where hackers might be able to create the hacker-compromised equivalent of the demonically-possessed Plymouth Fury from the Stephen King story Christine or something from The Transformers, perhaps.

Embedded computing devices are increasingly used in cars in areas including airbags; radios; anti-lock braking systems; electronic stability controls; autonomous cruise controls; communication systems; and in-vehicle communication. Researchers have demonstrated that critical safety components of an automobile can be hacked, giving hackers physical access to the vehicle’s electronic components. Other studies have shown how vehicles or their occupants can be tracked.

The car industry is continually adding features and technologies that deliver new applications such as internet access and the ability to further personalise the driving experience. In addition, there's a push to integrate cars with consumer devices such as smartphones and tablets. McAfee's concern is that in the rush to add all these new features security will be treated as an afterthought.

The McAfee study examines risks associated with cybercriminal activity including the possibility of:  

  • remotely unlocking and starting a car via mobile phone;
  • remotely disabling a car;
  • tracking a driver’s location, activities and routines;
  • stealing personal data from a Bluetooth system;
  • disrupting navigation systems; and
  • disabling emergency assistance.

Examples of such attacks actually happening in real life are absent from McAfee's study. A interesting exercise by F-Secure a few years back singularly failed to infect a car via Bluetooth and we've not seen anything since to suggest that this has changed, even with advances in the sophistication of technology that might make such a scenario more feasible.

McAfee is nonetheless adamant that the potential for car-based hacker mischief is all too real.

"As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases," said Stuart McClure, senior vice president and general manager, McAfee. "Many examples of research-based hacks show the potential threats and depth of compromise that expose the consumer. It’s one thing to have your email or laptop compromised but having your car hacked could translate to dire risks to your personal safety."

Depending on your point of view, the study is either aimed at raising awareness or is an attempt to talk up a threat that McAfee and its associates can then sell into.

"The report highlights very real security concerns, and many in the auto industry are already actively designing solutions to address them," said Georg Doll, senior director for automotive solutions at Wind River. "Given the development time for automobiles, the industry is finding it essential to start work now by teaming up with those possessing the right mix of software expertise."

McAfee banged on for many years about the looming threat of malware on mobile devices that has only recently become a real-world problem for some smartphone users. At least the car security report omits the automobile risk equivalent of the financial cost of mobile malware guesstimates that were a regular feature of its late '90s mobile threat reports.

Some of the more tin-foil-hat-wearing sections of the Reg readership may see the report as evidence why we should all move back to wholly mechanical cars, preferably models that rely on double de-clutching to change gear. Many would regard that as a step too far.

The McAfee study naturally concentrates on hacker-based threats without tackling the more immediate problem of what happens when those embedded devices go wrong without external interference. In such cases cars can subject occupants to white-knuckle high-speed rollercoaster rides that leave drivers powerless to brake or decelerate, as chilling tales from our occasional RoTM columns graphically illustrate (here, here and here).

There's also no mention of the perils of slavishly following SatNav instructions or near-death blunders involving GPS-based location kit, a serious omission we hope will be addressed in future editions of the report. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.