McAfee: Cyber thugs will turn your car into Christine
Maybe. One day
Poorly secured embedded systems in next-generation cars create a way in for hackers, according to a new study by McAfee.
Hackers may be able to gain access everything from the locks to car engines and more, according to a report titled Caution: Malware Ahead that looks at the emerging risks in car system security.
McAfee, which partnered with Wind River and ESCRYPT on the report, paints a scenario where hackers might be able to create the hacker-compromised equivalent of the demonically-possessed Plymouth Fury from the Stephen King story Christine or something from The Transformers, perhaps.
Embedded computing devices are increasingly used in cars in areas including airbags; radios; anti-lock braking systems; electronic stability controls; autonomous cruise controls; communication systems; and in-vehicle communication. Researchers have demonstrated that critical safety components of an automobile can be hacked, giving hackers physical access to the vehicle’s electronic components. Other studies have shown how vehicles or their occupants can be tracked.
The car industry is continually adding features and technologies that deliver new applications such as internet access and the ability to further personalise the driving experience. In addition, there's a push to integrate cars with consumer devices such as smartphones and tablets. McAfee's concern is that in the rush to add all these new features security will be treated as an afterthought.
The McAfee study examines risks associated with cybercriminal activity including the possibility of:
- remotely unlocking and starting a car via mobile phone;
- remotely disabling a car;
- tracking a driver’s location, activities and routines;
- stealing personal data from a Bluetooth system;
- disrupting navigation systems; and
- disabling emergency assistance.
Examples of such attacks actually happening in real life are absent from McAfee's study. A interesting exercise by F-Secure a few years back singularly failed to infect a car via Bluetooth and we've not seen anything since to suggest that this has changed, even with advances in the sophistication of technology that might make such a scenario more feasible.
McAfee is nonetheless adamant that the potential for car-based hacker mischief is all too real.
"As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases," said Stuart McClure, senior vice president and general manager, McAfee. "Many examples of research-based hacks show the potential threats and depth of compromise that expose the consumer. It’s one thing to have your email or laptop compromised but having your car hacked could translate to dire risks to your personal safety."
Depending on your point of view, the study is either aimed at raising awareness or is an attempt to talk up a threat that McAfee and its associates can then sell into.
"The report highlights very real security concerns, and many in the auto industry are already actively designing solutions to address them," said Georg Doll, senior director for automotive solutions at Wind River. "Given the development time for automobiles, the industry is finding it essential to start work now by teaming up with those possessing the right mix of software expertise."
McAfee banged on for many years about the looming threat of malware on mobile devices that has only recently become a real-world problem for some smartphone users. At least the car security report omits the automobile risk equivalent of the financial cost of mobile malware guesstimates that were a regular feature of its late '90s mobile threat reports.
Some of the more tin-foil-hat-wearing sections of the Reg readership may see the report as evidence why we should all move back to wholly mechanical cars, preferably models that rely on double de-clutching to change gear. Many would regard that as a step too far.
The McAfee study naturally concentrates on hacker-based threats without tackling the more immediate problem of what happens when those embedded devices go wrong without external interference. In such cases cars can subject occupants to white-knuckle high-speed rollercoaster rides that leave drivers powerless to brake or decelerate, as chilling tales from our occasional RoTM columns graphically illustrate (here, here and here).
There's also no mention of the perils of slavishly following SatNav instructions or near-death blunders involving GPS-based location kit, a serious omission we hope will be addressed in future editions of the report. ®
time to exit the denial phase, guys.
Sorry, I've a bit of a rant to get through here, having worked in precisely this field, and found very little acknowledgement of the longer term risks. This is not unexpected, newcomers to the field will always underestimate both the efforts and the rewards of exploiting weak computers.
The point is that you only need one clever guy to crack the system, and his exploit can then be packaged and sold to all and sundry.
The "reward potential" for a car is quite high, a sophisticated infotainment system will have all manner of passwords and accounts, phone numbers, possibly NFC (near field comms) e-payment details. This is not to mention any scam exploits - like putting a bogus, urgent fault on the car that directs you to the nearest "friendly" garage, where you are relieved of some money.
At the moment the industry is in the denial phase, it looks like too much effort, on too variable a platform. Good points both of them, cost and risk vs reward are the fundamentals of "the crime equation", but they are on a collision trajectory, costs will fall and rewards will rise.
I was a little disconcerted by The Reg's uncharacteristically poorly informed opinion:
"interesting exercise by F-Secure a few years back singularly failed to infect a car via Bluetooth and we've not seen anything since to suggest that this has changed, even with advances in the sophistication of technology that might make such a scenario more feasible"
I would recommend reading: http://www.autosec.org/pubs/cars-usenixsec2011.pdf
Wherein the following passage appears:"We next assess whether an attacker can remotely exploit the Bluetooth vulnerability without access to a paired device. Our experimental analyses found that a determined attacker can do so, albeit in exchange for a signiﬁcant effort in development time and an extended period of proximity to the vehicle.
They go on to describe in detail what can be done, today. Read on....
Parasites calling wolf
I think we are willing to accept there are security issues with embedded systems in vehicles, we just don't want to hear from a vendor of parasitic bolt on afterwards anti-virus packages. It's the developers of the systems that need to get the message on security.
"remotely unlocking and starting a car via mobile phone"
I'll gladly give anybody a mobile phone if they can start my Marina on a damp morning, even with the key.