Walk into a BMW, Infiniti or Cadillac showroom, and you might see a host of enticing new cars. Chris Valasek, on the other hand, sees targets for an attack.
He and a colleague have conducted the first industry-wide study of remote hacking possibilities (not actual hacks) for smart cars. The researchers are presenting their work at this week’s Black Hat security conference in Las Vegas.
While they discovered numerous potential exploits, they also found the hacks needed to open the cars’ computers to mischief to be time-consuming, expensive, and difficult. Don’t expect your Bluetooth-enabled 2015 Cadillac Escalade — vulnerable though it may be to theoretical attacks — to be maliciously transformed into a spam botnet, like press accounts earlier this year suggested some smart fridges could be.
Any rational hacker isn’t going to waste inordinate resources when botnets can always be made cheaper and easier going after vulnerable PCs and smartphones, Valasek says. On the other hand, companies that operate luxury cars for specialized purposes such as limousines and high-end security vehicles might want to pay special attention to this new work.
“Because the research effort is pretty great and very costly, a car [attack] would be very targeted,” he says. Dignitaries and other high-value occupants of smart cars make the most likely targets for the ultimate recipients of smart car hacks.
“If you have a vulnerability in your internet browser, someone may hack your computer and steal your credit card number,” he says. “But if they hack into your car, while it seems it’s much more difficult, the circumstances could be them wrecking your car or tracking wherever you drive. So I think that’s why people tend to be a little more scared about it.”
In the cases Valasek and his co-author Charlie Miller (whose day job is at Twitter) considered, of course, the bad guys would be the ones seizing control of the vehicle.
And for the 21 different cars the researchers surveyed, they considered three essential components of an attack: the possible ways in, the computers that could be compromised, and the control features —the “cyberphysical” assets as they call it—that those compromised automotive computers could then maliciously exploit.
For example, Valasek says, the three most vulnerable of the 21 cars they looked at were the 2014 Jeep Cherokee, 2015 Cadillac Escalade, and the 2014 Infiniti Q50.
“There’s a lot of remote connectivity,” he says of the Escalade. “They have cellular communications, bluetooth communications, regular radio communications. They have an internet app for your phone, and an app for your car. And there’s a lot of cyberphysical features. The car can brake itself. There’s power-assisted steering. Things like that.”
By contrast, the least hackable of the 21 were the 2014 Dodge Viper, 2014 Audi A8, and the 2014 Honda Accord.
Of the A8, for instance, Valasek and Miller report that “The vehicle not only separates viable attack points (Bluetooth, telematics, radio) from safety critical components (steering, braking, acceleration), but also has them working on different" computer networks.
For all 21 cars, the researchers were studying publicly available documentation and car specs available to mechanics on the car companies’ websites. Valasek says the next phase of his research will involve using their findings to try to actually hack and maliciously exploit one or more of the cars he studied.
He adds that the hacks and exploits are all in the service of finding holes in the system and helping the car companies patch them up before bad guys can do the same. Indeed, as of last month Valasek was appointed to head the new Vehicle Security Research team at his company IOActive.
He says the full report he and Miller will be presenting at Black Hat this week will be posted on IOActive’s website before the end of the summer.