With the rapid proliferation of embedded devices and digital technologies in cars, it’s not too much of a stretch to imagine that car hacking is right around the corner, according to a report by security vendor McAfee.
Titled, “Caution: Malware Ahead,” the report explores the growing threat of cyber attacks and other security risks as more elements of automobiles can be controlled remotely via the web.
Tim Fulkerson, senior director of marketing for McAfee Embedded Security, said the report aimed to raise awareness and serve as a tool to start conversations with car manufacturers and secondary suppliers about incorporating security into their systems.
“What we’re trying to do is get ahead of some of these issues and work with industry, work with manufacturers as well as the various suppliers,” Fulkerson said. “It becomes more important that we work now to ensure that these things are addressed before we see these kinds of attacks grow over time.”
Specifically, the problem occurs in the embedded systems that are integrated both into the car itself as well as aftermarket solutions, such as a car TV or GPS system. Embedded devices can be found in just about every component of cars, including airbags, radios, power seats, anti-lock breaking systems, electronic stability controls, autonomous cruise controls, communication systems and in-vehicle communications.
However, the risk of cyber attacks and other security threats increases as more and more remote-controlled digital technology is introduced into automobiles, McAfee researchers said.
“There’s a big trend in the world moving from our standard PCs and laptops to Internet-enabled devices. Cars are no different,” he said. “Whether Bluetooth wireless handsets inside of cars or cool vehicle entertainment systems or cellular communications systems like GM OnStar, all of those are amazing technologies that offer increasing conveniences. That said, there is an increasing body of research demonstrating that these things are not entirely safe from hacking.”
The report found that hackers could potentially, remotely unlock and start a car via a cell phone, disable a car remotely, track a driver’s location, activities and routines, steal personal data from a Bluetooth system, disrupt navigation system and disable emergency assistance, among other things.
In one example, researchers from the University of California, San Diego and University of Washington created proof-of-concept software, known as CarShark, which could hack into a modern car using a laptop. That attack was then extended to launch attacks remotely via Bluetooth.
In another example, researchers launched an attack on a car’s tire pressure monitoring systems, called radio frequency identification (RFID) tags. The researchers were able to intercept the data transmitted over wireless short-distance communication to track the vehicle and compromise the passengers’ privacy, according to the report.
And Fulkerson said that the security issue surrounding embedded devices extended beyond cars to other Internet-controlled devices, such as medical equipment, Internet connected TVs and smart meters.
“With the adoption of embedded devices, there are all kinds of places where these things are becoming parts of our lives,” he said.
Medical devices were also at risk.
Last month during the Black Hat Conference, security researcher Jerome Radcliffe demonstrated various hacks against insulin monitors and insulin pumps used by Type 1 diabetics.
The biggest vulnerability occurred within insulin pumps that relied on radio frequency, or RF, for wireless remote control used for facilitating necessary communication between the device and the blood meter in order to dispense the required daily dose of insulin to the user. That unsecured wireless communication could be intercepted and subject users to potentially lethal hacks conducted with simple exploit tools, Radcliffe said.
Thus far, no actual attacks against these car components or embedded devices have occurred in the wild, Fulkerson said, but added that it would likely be a matter of time before their vulnerabilities were exploited.
“We’re not seeing these sorts of attacks yet. But It’s really important to get out ahead of this and make sure these sorts of things don’t happen,” he said. “You can really make a fairly clear logical leap to see that these things could well happen if we don’t take steps to prevent them.”