Hackers have scopes set on your automobile

Omar Ramos-Lopez was none too pleased when fired from his job at an Austin, Tex., car dealership in 2010. So he decided to get even. Getting revenge on former employers may not be a particularly novel reaction, but his choice of payback was cutting-edge.

Texas Auto Center, where Ramos-Lopez worked, installs GPS units in leased cars that can remotely prevent the car from starting, or sound the horn on demand. Such functions come in handy if anyone happens to fall behind on their lease payments.

The disgruntled Ramos-Lopez, however, used the devices to disable cars regardless of payment status. He also set off their horns at random times. He disrupted about a hundred cars over several weeks, wreaking havoc with the lives of many drivers.

Police eventually traced the mayhem back to Ramos-Lopez, who was using another employee’s password to gain access to the firm’s GPS system from his home computer. He was charged with felony breach of computer security, but was subsequently placed in a first-time, non-violent offenders program that allowed him to avoid a criminal record.

Ramos-Lopez may not be your typical thriller-novel criminal mastermind. He does, however, offer a glimpse into the future of cybercrime. Your computer can be hacked. Your phone can be hacked. And now your car can be hacked too.

The modern car is no longer simply a mechanical propulsion device. It has also become a complex network of computers managing almost every aspect of the vehicle, from emission control to airbags, anti-lock brakes and entertainment systems. Some cars have up to 70 separate electronic systems, running on 200 million lines of code. The computers are in control.

Following Toyota’s unintentional acceleration crisis in 2010, the U.S. Transportation Research Board (TRB) commissioned a report on the implications of the widespread use of on-board electronics. While the Toyota issue turned out to be more human error than computer malevolence, the TRB report, released last month, did find much to be concerned about. Perhaps the biggest issue is what it called “automotive vulnerabilities to cyberattack,” or car hacking.

“We found that basically anything under computer control in a car is vulnerable to malicious attack,” says computer scientist Stephen Checkoway. “This includes the brakes, engine, lights, radio, wipers and electronic display. If a computer controls it, it can be controlled by an attacker.”

Checkoway, a PhD candidate at University of California, San Diego, was an investigator on two major research projects cited by the TRB. First, his team was able to hijack almost every component of an unnamed, but popular, 2009 model family sedan. Doing so required brief physical access to the car – downloading a virus via a music CD, or plugging into the engine’s diagnostic port.

In their second and more ambitious test, the researchers investigated the extent to which they could seize control remotely through the panoply of wireless devices attached to the car, such as cellular, Bluetooth, radio and tire pressure monitoring system.

Once again, mission accomplished. “We found we could compromise the car using any of these [remote] vectors,” recounts Checkoway. The radio proved to be a particularly attractive target. Since it provides all the alarms associated with the engine, turn signals and the like, it is tied into every other computer system. “If you can take over the radio, you can use it to reprogram all the other computers,” he warns grimly.

In their laboratory, researchers could send nasty messages to their test car’s display board, start and stop the engine, disable the brakes and even make two cars 1,000 miles apart perform in unison. Could any basement-dwelling computer geek do the same thing?

“It took a significant amount of work and nearly three years to get to that point,” advises Checkoway. “There are probably easier ways to disrupt someone’s life.” That said, he has clearly opened a Pandora’s box of possibilities, many of which may indeed seem worth the effort to motivated persons or groups.

First, the Tom Clancy scenario. Checkoway’s results suggest numerous cars could be jointly infected, perhaps using audio files. This could be used to prompt mass brake failure at a particular time or location. Tire pressure monitors could also be used as a triggering mechanism. And while his test car lacked self-parking capabilities, the possibility of driving a remotely-steered car off a cliff via Bluetooth seems viable.

Or an enterprising hacker could use a combination of wireless devices to seek out specific vehicles, disable their anti-theft devices, unlock the doors, start the engines and then sell the locations to eager car thieves.

And it seems like child’s play to eavesdrop on in-car conversations using built-in microphones and an Internet connection, or to lift personal information off connected cell phones, a sure boon to corporate espionage.

Checkoway observes that car hacking is likely to follow in the evolutionary footprints of its bigger brother, computer hacking. “Prior to the Internet, your personal computer was quite vulnerable, but it didn’t really matter since no one else could gain access to it,” he says. Hacking only became an issue after computers became interconnected via the Internet.

It thus seems logical that car hacking too will grow from isolated individual attacks, as with the case of Ramos-Lopez, to mass exploitation via worms or viruses and then to third-parties who sell access to compromised cars in an underground market, as with our enterprising car thief of the future.

So where does all this leave car owners, besides terrified?

For Brian Contos, security strategist with McAfee, a security technology subsidiary of chip-maker Intel Corp., car hacking is an issue that must be solved by auto manufacturers in the factory, rather than relying on drivers to add their own aftermarket antivirus protection. Besides, car buyers are notorious for ignoring safety features. “Cars have essentially become smart phones that can go 100 miles an hour,” observes Contos. “But while a hacked phone may be a big personal inconvenience, just one hacked car creates a huge risk for everyone else on the road.”

Peter Shawn Taylor is editor-at-large of Maclean’s. He lives in Waterloo, Ont.

A student of the department for aritificial intelligence at the Freie Universitaet Berlin steers a converted Dodge minivan remotely with an iPhone during a demonstration.

Photograph by: Sean Gallup, Getty Images