Every year, automakers endow vehicles with more brainpower. Top of the line models regularly sport dozens of computerized control units. Why all the computer hardware? It has allowed us to turn over parts of the driving task—such as maintaining a safe distance from the car ahead of us, or parallel parking—to the cars.
But the same systems engineered to keep cars from crashing—or at least to make driving less stressful—might soon be co-opted by criminals intent on attacking a single driver or causing widespread havoc. Several research groups have independently demonstrated smart cars’ vulnerability to cyberattacks via the Bluetooth, Wi-Fi, or cellular connections meant as conduits for entertainment, information, and communication. In a September report about the emerging risks in automotive system security, security firm McAfee pointed to an incident where a disgruntled former employee at a Texas car dealership used a remote car deactivation system to simultaneously shut off the engines of 100 vehicles.
Researchers at the University of California at San Diego and the University of Washington say that in their tinkering, they hit upon a cyberattack method by which thieves could cause large groups of cars to report their vehicle identification numbers (from which it is easy to determine the cars’ years, makes, and models) and GPS coordinates. Having learned where the most prized vehicles are parked, the technique would allow criminals to issue another set of commands that remotely bypass the cars’ security systems, unlock their doors, and start their engines. A similar technique, said the researchers, could be used to listen in on a driver’s phone conversations, or worse, to disable one or multiple cars’ brakes as they travel at highway speeds.
Automakers say they have gotten the message. A Chrysler spokesman says the company is seeking the advice of security experts in order to identify its cars’ vulnerabilities. Ford says it is “working to ensure that we’ve developed [cars that are] as resistant to attack as possible.”