Car hacking: The next global cybercrime?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cnbc.com/id/101123279

As modern cars evolve towards becoming fully autonomous, security experts
are warning of a new form of cybercrime: Car hacking.

Car hacking- --where criminals can either remotely directly or take control
of your car from their laptops – has become a bigger and bigger headache
for car manufacturers and law enforcement bodies as in-car technology
becomes more sophisticated.

There are already thousands of semi-autonomous cars already on the market
that contain in-car computer systems, or electronic control units (ECU),
responsible for safety functions such as detecting skids, predicting
crashes and performing anti-lock braking.

By 2020, car makers predict that cars could become fully autonomous and
manufacturers such as BMW have already created self-driving cars.

However, along with other computer systems, in-car technology is not
hacker-proof, as tests by academics and "white hat" hackers – those that
break into computer systems to highlight security issues -- have shown.

Demonstrating their Pentagon-funded work at the global "DefCon" hackers
conference in Las Vegas in August, Charlie Miller and Chris Valasek showed
global security experts in attendance how they could take control of a 2010
Toyota Prius and Ford Escape model using just a laptop.

They were able to remotely take control of the cars' electronic smart
steering, braking, displays, acceleration, engines, horns and lights. They
could even make the fuel tanks show a full tank of gas when there wasn't.
To top it all, they did all this using an old Nintendo handset.

"Automobiles are no longer just mechanical devices. Today's automobiles
contain a number of different electronic components networked together that
as a whole are responsible for monitoring and controlling the state of the
vehicle," Miller and Valasek stated in their research -- "Adventures in
Automative Networks and Control Units".

"Drivers and passengers are strictly at the mercy of the code running in
their automobiles and, unlike when their web browser crashes or is
compromised, the threat to their physical well-being is real," the authors
stated.

"You cannot have safety without security."

In 2011, researchers at the University of Washington and the University of
California-San Diego were able to wirelessly hack into cars, though they
withheld details of which cars they were able to "own" for fear of their
knowledge being used by criminals.

The potential danger of car hacking and its use by criminals has not been
lost on law enforcement bodies in both Europe and the U.S., where the
National Highway Traffic Safety Administration (NHTSA) has launched an auto
cybersecurity research program investigating car hacking.

The director of the Europe's Cybercrime Centre, a body within the European
Union's law enforcement agency Europol, told CNBC that the potential for
in-car technology to be hacked and used for organised crime, revenge,
profit and competitive advantage was great.

"We are very concerned about the direction of car hacking," Troels Oerting
told CNBC on Thursday. "Everyone [in the car industry] wants to make cars
more helpful -- for them to help with steering, parking, breaking and even
driving -- but if you do this the downside is that someone will try to use
this to their advantage and for criminals, this would generally be for
profit or revenge."

"Wireless technology is integrated into practically everything nowadays and
if there's wireless access to anything there's a possibility to remotely
control it," Oerting warned.

"We have already seen electronic devices being used to get into cars to
steal them but the next step we could see is someone able to manipulate the
car, steer and brake while you're in the car and without your knowledge,"
he said.

If a car could be remotely accessed, then, what was to stop organized crime
groups "eliminating" their enemies by literally driving their car remotely
off a bridge or cliff, Oerting said. In countries where carjacking was
common, such as South Africa, remotely accessing the in-car technology
could allow criminals to stop and open car doors very easily.

Oerting said that car manufacturers were aware of the issues and that
ultimately they were liable for the security – or lack thereof -- of their
vehicles.

Following the "hacks" by white hat hackers Miller and Valasek in Las Vegas
this summer on the Ford and Toyota cars, the automotive industry has been
keen to respond and reassure consumers that they are tackling the security
issues in their vehicles.

A spokesman for Ford Motors, Craig Daitch, told CNBC that "while an attack
by a hacker who obtains physical access to a vehicle for a prolonged period
of time is difficult to completely diminish, Ford has made strides in
limiting the ways a hacker can fully take control of a vehicle."

Toyota's public affairs manager, Cindy Knight, said meanwhile that
"cyber-security is an important issue for the entire automotive industry,
from automakers to suppliers to the agencies that oversee motor vehicle
safety," she told CNBC.

"At Toyota, we take seriously any form of tampering with our electronic
control systems. We strive to ensure that our electronic control systems
are robust and secure and we will continue to rigorously test and improve
them," she said.

Despite their reassurances, however, there is no guarantee that a computer
system is hack proof. "You will never know when criminals' knowledge keeps
up with the improvements to the technology," Europol's Oerting said.

"It's important that consumer and carmakers are aware of the downside to
technological developments. You need people to be able to drive using this
technology without fearing every five seconds that your car will be taken
over."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.