This week at the 31st IEEE Symposium on Security & Privacy, a paper will be presented by researchers from the Center for Automotive Embedded Systems Security (CAESS) titled, "Experimental Security Analysis of a Modern Automobile" that says they have demonstrated:
"that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input— including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on."
The researchers also say that an attacker can embed "malicious code in a car’s telematics unit and that will completely erase any evidence of its presence after a crash."
The researchers from CAESS - a collaboration between researchers at the University of California San Diego and the University of Washington with a mission to help ensure the security, privacy, and safety of future automotive embedded systems - wanted to provide solid, experimental data, not just theoretical results, on what could happen during a hacking attack.
Not to put to fine a point on it, the researchers, whose work was supported by funding from the National Science Foundation, say that while automotive manufacturers have spent a lot of time worrying about car safety, the priority of car IT security may need to be raised a tad.
In a New York Timesarticle last week, one of the researchers, Professor Stefan Savage, a computer scientist at UCSD, was quoted as saying,
"... you should expect that various entry points in the automotive environment are no more secure in the automotive environment than they are in your PC."
Hmm, makes me wonder how soon it will be before your car dealership starts offering you a yearly subscription to virus protection software for your car.
Hacking into cars' electronic systems is not new, of course. Almost since car electronic systems have appeared, people have been tying to exploit them, for instance, by hacking into cars' wireless key systems or into cars' ECUs to boost engine output. Hacking GM's On-Star system seems especially popular.
You can read more about the use of software in cars in an article I wrote last year for IEEE Spectrumhere.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.