On the heels of iSec Partners' car hacking demonstration at Black Hat, McAfee issued a report highlighting the need for security in computers powering modern-day automobiles.
Automobiles are getting
smarter as carmakers put in computers that can help drivers parallel park and
add Internet connectivity to post Facebook or Twitter updates. They are also
driving into uncharted territory as the smart features expose the vehicles to
cyber-attacks, McAfee said in a recent report.
Vehicles are enhanced with
embedded chips and sensors for an array of applications, but the systems and
data collected are not protected, McAfee said in a report released Sept. 6. The
number of Internet-connected devices is projected to climb from a billion in
2010 to 50 billion in 2020, of which the bulk will be embedded devices,
according to the "Caution: Malware Ahead" report.
Technology is increasingly
being added to vehicles to improve the safety features, monitor the condition
of the engine and deliver entertainment to the passengers. Microchips are
embedded in almost all parts of an automobile, including airbags, brakes, power
seats, cruise-control systems, anti-theft gadgets and communication devices, McAfee
said. However, security is "often" an afterthought in embedded
devices, McAfee said.
"As more and more
functions get embedded in the digital technology of automobiles, the threat of
attack and malicious manipulation increases," said McAfee senior vice
president and general manager Stuart McClure. Having a car hacked could result
in "dire risks" to personal safety, he said.
The industry has forgotten
about security threats in the past. The first remote keyless entry systems
didn't use any security and were easily compromised, the study said. In the
past, universal remote controls could be used to record a car's key signals,
the researchers said.
The sensors used by roadside
emergency services to find disabled cars can be abused by cyber-stalkers, the report
found. Attackers can also disrupt car-navigation systems, steal personal data
on mobile devices by compromising the car's Bluetooth connectivity or disable
vehicles remotely, the researchers wrote. Even though there have been no known
cases of attackers going after computer vulnerabilities in vehicles, the
potential still exists, according to McAfee. While some of the attacks require
the attacker to be in the physical proximity of the targeted car, some can be
performed remotely, McAfee researchers said.
In fact, last month at the Black
Hat security conference in Las Vegas a security consultant with iSEC Partners
showed a video demonstrating how he was able to unlock
and start a car remotely
by sending Short Message Service (SMS) commands from
The report also highlighted
incidents where academic security researchers at Rutgers University, the
University of South Carolina, the University of California, San Diego, and the University
of Washington were able to remotely shut down cars, use the tire's radio-frequency
identification system to track the driver's location, disrupt emergency
assistance and navigation services, steal
personal data from Bluetooth
devices and compromise the critical safety
system of the vehicle.
"The report highlights
very real security concerns, and many in the auto industry are already actively
designing solutions to address them," said Georg Doll, senior director for
automotive solutions at Wind River.
McAfee, embedded device
security firm Escrypt and smart gadget software firm Wind River collaborated on
the automobile device security report. (Both McAfee and Wind River are part of