sb-au logo
Story image

Connected car hacking: Who’s to blame?

10 Jan 2017

I’ve just about recovered from the sensory overload that is CES to gather my thoughts from what was another fascinating event. This blog, on connected car hacking, is the first of two posts.

New cars are networked computers with an engine attached. Yours doesn’t sync with your phone when it detects you driving? That’s so 2016. At this year’s CES, we saw cars that attempt to connect all the dots along your morning commute, including suggesting routes with less congestion, reminding you of appointments and such. But when this complex ecosystem has issues, who do you call?

Auto manufacturers point to the third party computer systems, and they, in turn, point to upstream providers. You’re now driving a tech mashup that just happens to be mobile.

Recently, I bought a new car, and the sales guy told me I needed the extended warranty because the computer replacement cost more than any other single component on the car, including the engine.

Try to explain that to classic car collectors. It won’t skid on slippery surfaces, tries to park itself, and a host of other distracting things I haven’t quite figured out. Their manuals are big thick books, but who reads the manuals?

It’s becoming clear to the folks at CES that your engine is really an accessory, which can be replaced by a very large electric one very soon, and your computer needs to keep track of voltage to that accessory and let you know about it, probably on an app on your smartphone, which seamlessly appears on your in-dash monitor when you get close to the car.

So we’ve come full circle. While years back you had an office computer where you sat at a chair and did a task, now you sit in a chair with a seatbelt surrounded by a computer that happens to be moving.

But in the same way we’ve been fighting attacks for years on desktop computers (which still have issues), we’ll increasingly see issues with that whole mobile experience. But I’m just not sure who to call anymore.

I put that question to one of the booth staff. He had no idea. Apparently, the connectivity to the car is handled by a bulk communication company as a partnership with the folks who make the car, who also partner with the computer people at the booth I was visiting.

I have a colleague in the industry who tried to hack his car for performance with some software he got online. He managed to brick his car, or at least it dropped into limp mode with very limited functionality.

He basically could only minimally drive it, and wound up going the dealer and just saying something was broken and he didn’t know what. They couldn’t understand it either, and eventually replaced the computer. They didn’t charge him. He was very lucky.

Dealers will become more sophisticated in spotting hack attempts, even as the hacking market for performance modifications increase. There are a host of new doodads here that allow you to interface with your car more easily, and every year at DefCon there is a larger area devoted to the subject.

Manufacturers are at least working on better firewalls now to keep the computers all protected, but that won’t hit the showroom floors for years, meaning there are millions of cars on the road (basically all of them) that hackers will try to exploit.

If a vulnerability is found, they will have millions of vehicles to target that have no effective way of being updated, since few would heed the warning to take it to the dealer for a fix.

It’s not hopeless. There are lots of startups that are looking at building anti-hacking equipment for modern cars. It will remain to be seen whether manufacturers will let you use any of it without voiding the warranty and bricking a very expensive car.

If they learn to work together with the community, however, we can bring to bear lessons learned over a long period of time from chairs in front of computers-on-desks and keep us all a little safer.

Article by Cameron Camp, blogger for We Live Security, ESET

Story image
Fortinet’s ‘zero trust’ approach redefining security
Cornelius Mare, Fortinet A/NZ Director, Security Solutions, explains why taking a ‘zero trust network access’ approach to cybersecurity requires fully-integrated and comprehensive security services and policies.More
Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More
Story image
Video: 10 Minute IT Jam – Who is Forcepoint?
Forcepoint has built its core mission on three simple words: “human-centric cybersecurity”. More
Story image
Strong cybersecurity posture crucial for company success - Fortinet
"They should also conduct due diligence to ensure partners aren’t inadvertently creating vulnerabilities with insufficient cybersecurity measures."More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More