Automotive Navigation, Entertainment Systems Susceptible to Hackers: McAfee

On the heels of iSec Partners' car hacking demonstration at Black Hat, McAfee issued a report highlighting the need for security in computers powering modern-day automobiles.

Automobiles are getting smarter as carmakers put in computers that can help drivers parallel park and add Internet connectivity to post Facebook or Twitter updates. They are also driving into uncharted territory as the smart features expose the vehicles to cyber-attacks, McAfee said in a recent report.

Vehicles are enhanced with embedded chips and sensors for an array of applications, but the systems and data collected are not protected, McAfee said in a report released Sept. 6. The number of Internet-connected devices is projected to climb from a billion in 2010 to 50 billion in 2020, of which the bulk will be embedded devices, according to the "Caution: Malware Ahead" report.

Technology is increasingly being added to vehicles to improve the safety features, monitor the condition of the engine and deliver entertainment to the passengers. Microchips are embedded in almost all parts of an automobile, including airbags, brakes, power seats, cruise-control systems, anti-theft gadgets and communication devices, McAfee said. However, security is "often" an afterthought in embedded devices, McAfee said.

"As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases," said McAfee senior vice president and general manager Stuart McClure. Having a car hacked could result in "dire risks" to personal safety, he said.

The industry has forgotten about security threats in the past. The first remote keyless entry systems didn't use any security and were easily compromised, the study said. In the past, universal remote controls could be used to record a car's key signals, the researchers said.

The sensors used by roadside emergency services to find disabled cars can be abused by cyber-stalkers, the report found. Attackers can also disrupt car-navigation systems, steal personal data on mobile devices by compromising the car's Bluetooth connectivity or disable vehicles remotely, the researchers wrote. Even though there have been no known cases of attackers going after computer vulnerabilities in vehicles, the potential still exists, according to McAfee. While some of the attacks require the attacker to be in the physical proximity of the targeted car, some can be performed remotely, McAfee researchers said.

In fact, last month at the Black Hat security conference in Las Vegas a security consultant with iSEC Partners showed a video demonstrating how he was able to unlock and start a car remotely by sending Short Message Service (SMS) commands from a smartphone.

The report also highlighted incidents where academic security researchers at Rutgers University, the University of South Carolina, the University of California, San Diego, and the University of Washington were able to remotely shut down cars, use the tire's radio-frequency identification system to track the driver's location, disrupt emergency assistance and navigation services, steal personal data from Bluetooth devices and compromise the critical safety system of the vehicle.

"The report highlights very real security concerns, and many in the auto industry are already actively designing solutions to address them," said Georg Doll, senior director for automotive solutions at Wind River.

McAfee, embedded device security firm Escrypt and smart gadget software firm Wind River collaborated on the automobile device security report. (Both McAfee and Wind River are part of Intel.)