Most Americans have heard of cyber crimes and cyber security, but beyond what they hear on the news, know very little about it. Cyber crimes typically affect the average American only in terms of Personally Identifiable Information (PII) and identify theft. To that extent, many Americans are vulnerable to cyber crimes that target their social security numbers, dates of birth, et al; cyber criminals attempt to gain access to personal records, bank accounts, mortgage information, etc. I have personally had two credit cards “hacked,” in which the criminals did not gain the credit card information physically, they gained the information via some cyber means, most likely capturing the information via an online transaction conducted at another site, and then exploiting the information to make the transactions. Both hacks cost the two institutions several thousand dollars, with one being charged more than $6,500 in transactions in one day.
The article, “Carhacking” in the January/February 2013 issue of Government Executive by Aliya Sternstein, addresses a new concern in the cyber security realm. Cars today, even at the lower price range, often come standard with a wide range of multimedia and information-sharing and technology features, such as built-in CD and DVD players, UBS ports, Bluetooth systems, satellite radio systems, and wireless services such as the Ford SYNC or the OnStar system. Each of these features, while making the consumer’s drive more comfortable and enjoyable, also opens them up to potential cyber security threats.
The article references several real life examples where vehicles have been “carhacked” in recent times. In Austin, Texas in 2010, a disgruntled employee from an auto dealership remotely carhacked customer vehicles and deactivated the ignition systems. In another event, yet another disgruntled auto dealer employee “manipulated in-car systems that lock the engine when clients skip payments—essentially an alternative to repossession…he immobilized the starters and Global Positioning Systems on about 100 vehicles, leaving drivers’ parked cars stranded.” Presumably, the employee manipulated the system early to wreak havoc on the dealership, but that opens up the question about the dealership even having the system in place, and what would happen if the systems were immobilized while driving?
The article presents several other false but plausible scenarios; a Senator driving home, listening to a CD from a constituent. The CD is malicious, with code that causes the vehicle to brake suddenly while she is travelling at 60 miles per hour. In conjunction with terrorists behind her, she is killed. Another supposed scenario, an FBI agents car phone Bluetooth system is hacked into, and as the agents discuss a case in the “privacy” of the vehicle, their conversation is, in essence, bugged.
While the article indicates the chances of this occurring today are low, researchers have been able to unlock doors, deactivate starters, and have overridden various car safety systems. During one research test, they were able to disengage brakes. The National Highway Traffic Safety Administration (NHTSA), the agency responsible for motor safety, has currently released a statement that “NHTSA is aware of the potential for ‘hackers’ and other cyber security issues whenever technology is involved; however the agency is not aware of any real-world cyber security issues in vehicles.” Yet, their 2013 budget request reveals a $10 million dollar line item to study vehicle cyber risk.
Personally, I own a 2010 Ford Fusion. The vehicle has a built in CD player, Bluetooth system, Ford SYNC, and built in USB ports to sync multimedia devices. I use the Bluetooth capability on a daily basis to synchronize my Bluetooth phone, and enable hands-free phone calling (as is now the law in Pennsylvania where I live.) The Ford SYNC system periodically asks me (unprompted by myself) to run a “vehicle health report” which it sends to our email address, which we pre-programmed when we purchased the vehicle. The vehicle records tire pressure, percent of oil quality left before the next change is required, and miles until empty on gas, among other things. We use the USB ports to charge our multimedia devices, as well as to connect those devices, and our smartphones, and broadcast podcasts and internet radio streams over the Bluetooth through the car’s stereo system.
On occasion, we’ve picked up other phone conversations in our vehicle on our car Bluetooth receiver. In theory, that shouldn’t happen; you pair your device to your vehicle only. In addition, the vehicle health report runs while you drive; could that be intercepted? According to many in the car industry, the belief is legislation and regulation would be ineffective; the government would always be a step behind cyber criminals. Most believe the car industry should lead the cyber security charge. According to Ford, they are already beginning to take “cyber security precautions when assembling vehicles, including SYNC-enabled cars” as well as “simulate possible vulnerabilities during production.” The Ford SYNC now has a “built-in firewall” and also determines “which programs can be launched in car systems. Also, the vehicle control system network is separate from SYNC’s [and] software updates much be ‘code-signed’ or validated as Ford-authored to launch.”
This is all good news for consumers, who are probably all unaware of the cyber security dangers in the first place. All car manufacturers who are employing newer technology on board cars should take the lead in protecting their consumers. I believe regulation will only bog down the innovative process of car manufacturing, and car manufacturers are able to self regulate and provide the highest tech, cyber secure equipment. If they don’t, consumers won’t purchase their products.
Sternstein, A. (2013, January). Carhacking. Government Executive.
No comments:
Post a Comment