New car features come at a cost
Automobiles may be getting more advanced, but that doesn’t mean they are immune to hacks.
The latest cars, stuffed with technology that collects driving data and makes keys obsolete, are far “smarter” than older vehicles. However, all those features come at a cost when it comes to how easily hackers can infiltrate car computer systems.
Security researchers from the University of Washington and the University of California, San Diego took to the stage at a conference on Tuesday to describe how they were able to remotely break into vehicle electronics through an array of security holes. Speaking at the Enigma Security Conference in San Francisco, they discussed how cars have evolved over the years into computers on wheels that crafty hackers can penetrate under the right circumstances.
Get Data Sheet, Fortune’s technology newsletter.
One particularly sensitive entry point for hacking is the legally required OBD II port, which is basically “the Ethernet jack for your car,” said Stefan Savage, a University of California, San Diego professor of computer science and engineering. It is typically located below the dashboard on the driver’s side.
This port acts as the car’s command center that connects to all of the different computers systems, said Savage. Mechanics often plug directly into this port to retrieve diagnostics for the car’s emissions, mileage, and engine errors.
However, hackers who directly connect their laptops to the port through an intermediary device can basically plug into car’s control system and “have access to everything,” said Savage. “Once you get inside this network, all bets are off,” he said.
With cars containing multiple computers coupled together through a maze of networks, it’s also possible to break into the car’s command center without having to physically plug something into the port. Hackers just have to find a hole somewhere within one of the networks to sneak in.
These holes are often created from software conflicts that emerge when code from one device like a CD player communicates with code from another device like a car’s on-boarding system. There’s so much code in a typical car from so many different vendors that it can be virtually impossible for auto makers to know all the software inside their vehicles, he explained.
In 2010, Savage and his and his research team demonstrated how they were able to wirelessly hack into the command centers of a 2009 Chevy Impala through the OBD-II port. They were able to manipulate the car’s braking system so that the vehicle suddenly stopped or failed to function at all.
Savage stressed that the hacking incident on GM and similar research-led hackings into car models like the Toyota Prius and Ford f Escape don’t show that any one company’s cars are more vulnerable than the next. Instead, it’s an industry wide problem. It used to be that manufacturers didn’t typically have cyber security response teams or other means to effectively deal with the issues, he explained.
Indeed, at the time of the Chevy Impala hack, GM “didn’t have anyone to deal with cyber security” and regulators didn’t know how to address the problem, said Savage. However, his team worked closely with GM to fix the problem and the company has since installed a chief security officer in charge of product and now has a 100-person strong cyber security team. The company also changed its overall development progress and is trying to patch possible bugs in its systems before they become public, he explained.
“I’m not going to tell you there aren’t vulnerabilities in GM’s cars, but they are in a much better position than what we started in 2010,” said Savage.
For more on GM watch our video:
It’s worth noting that the researchers were able to pull off their hacks in staged projects in the lab. Just because they discovered them “doesn’t mean [the problems] will necessarily manifest in the real world,” said University of Washington professor of computer science and engineering Tadayoshi Kohno.
The researchers argued that security experts must continue to make bugs public if the auto industry fails to address its loose security standards. Hopefully, they said, it will prevent disasters before they happen on the road.