I sat in front of the fire in my fireplace, and opened the heavy leather parcel I’d removed from my car. I’d purchased the car only the day before, and while I knew there were some technology improvements over the vehicle I’d gotten rid of, I wasn’t quite prepared for just how much things have changed in only a few years.
Inside the package was a series of manuals, one of which was an inch thick and devoted to something Mercedes Benz calls COMAND—yes, that’s how it’s spelled.
I leafed through the pages and found myself reading about real-time weather maps, complete with satellite and radar imagery. I could read current restaurant reviews from Yelp. And if I called the right number, I could have the company unlock my car or even send help if I crashed. These are some powerful new capabilities that I hadn’t realized existed, at least to the level they’d obviously reached.
Then I thought about my wife’s car, also of German design and recalled that it had similar capabilities, and in her case, they even included the ability to remotely program the navigation.
But these capabilities weren’t unique to German cars, or even cars from Europe. As recent news reports have revealed, cars of American, Japanese and Italian design have similar connectivity features and they bring similar cyber-security risks—some have significant exposures beyond what we normally hear about.
“The Nissan Leaf only requires its VIN [vehicle identification number] for authentication,” said Craig Young, a security researcher at Tripwire. Young noted that the VIN is visible from outside the car so that anyone can find it, and if they have the mobile app for the Leaf, can use it to control some features of the car.
Young said that for someone to break into a Leaf, the car first has to have the mobile application set up, but once that is done, anyone can send requests to the car or view information about it. “The controls are just the air conditioning,” he said. However, “you can also read information, including charging status, the user name of the owner, battery condition, all the trips, the times they’re driven and the efficiency of the drives.”
Young said that it would be really easy to use the information from the Leaf to determine when the owner is likely not to be home. He also said that while you couldn’t drive the car, you could turn on the air conditioning and run the battery down so that the driver would be stranded.
It’s an example of dealing with security on the Internet of things. “Cars are large Internet of things devices,” said Craig Smith, author of the soon to be published “The Car Hackers Handbook,” in which he describes how to find vulnerabilities and understand how the data systems and data networks in cars operate. Smith said that he’s been working with auto makers for years helping to close their vulnerability gaps.
Your New Car May Connect You to Greater Cyber-Risk
Smith said that much of the problem is that, like many other IoT devices, the computers in cars are designed with the assumption that they’re internal devices that aren’t connected. Now they are, and the designers have to deal with the learning curve that requires.
“They’re doing better than when I first started,” Smith said. “They’re taking security seriously.”
Unfortunately, not all is rosy inside IoT land. “A lot of it, the more severe stuff, tends to be based on wireless communications,” Smith explained. “There are usually not a lot of barriers to getting into the trusted system.”
I thought about the car I’d purchased just two days before and its ability to get weather radar and Yelp reviews. Smith said that the worst vulnerabilities are centered around cellular communications and other types of wireless as well. Wireless communications can also include on-board WiFi hotspots and on-board diagnostic systems. But, at least, most of the car companies aren’t totally clueless when it comes to security.
“I’m seeing the automotive industry doing a lot more threat modeling,” Smith said. Unfortunately, there’s no good way for people who buy and drive connected cars to do much about the security since there aren’t any antivirus or anti-malware packages out there for cars. On the other hand, some carmakers are paying attention, even to the extent of offering over-the-air updates.
I thought back to the conversation I’d had with a member of my carmaker’s support team. “You need to go to a local dealer and get your car’s software updated,” she said. She’s been checking my car online, and apparently didn’t like what she’d seen. For other vendors, notably Tesla, the updates are pushed to the car if there’s a WiFi network available.
Smith said that cars, like other Internet of things (IoT) devices, could be a lot more secure than they are. “There’s not a whole lot you can do without security standards,” he said. Much of the problem is that the folks who design car systems weren’t used to thinking about security first. “They had the mentality that the vehicle was trusted,” Smith said. “They assumed that the cellular network was secure.”
Smith advocates for greater openness on the part of the manufacturers, explaining that by allowing anyone to examine the basic code, automotive systems are much more likely to be secure since there are more eyes to spot problems. He pointed to Tesla, which has a HackerOne project, which allows owners and researchers to notify the company of apparent security breaches.
“GM has a vulnerability exposure process” in which revealing holes in the company’s security is encouraged, Smith said. He also suggested paying attention to the Open Garages Website, where car and IoT security researchers discuss vulnerabilities and fixes.
Smith also said that the companies need to be more open, if only because it makes it easier to find problems and fix them.