Skip to content

Bit9

← Back to Blog
12 Jan 2012

CES 2012: Your Car is Hackable – A Call to Arms

Dan Brown

A few events have converged to make me think this post is a timely one.  One of these events is the recent CES announcement of GM’s “OnStar Future Car” <cue fading echo> and associated developer API.  This follows un-coincidentally on the heels of Carlos Ghosn’s announcement that Renault will open up the car as a platform, allowing Android devices to interface with some systems on the car.

Among other things, GM “…will let you use a mobile app to unlock OnStar-quipped [sic] cars”.  The way I feel about this can only be properly expressed with a prepubescent teenage texting meme: O… M… G

This is one of the worst ideas in the long, sad history of bad ideas.  It has already been demonstrated that the OnStar system is hackableand presents a significant potential threat.  Perhaps less well known is that all modern cars use a common bus, called CANBUS that links a plethora (I know I know, “gesundheit”) of small embedded computer systems that control braking systems, stability control, fuel injection timing, etc.  Even more worrying than someone else starting your car remotely is the fact that these CANBUS-linked systems are also vulnerable to attack, as shown in this NSF-sponsored research paper.  There, researchers (including names that you infosec folks should recognize) demonstrated that cars can be compromised and controlled in ways very similar to your desktop computer.

Take CANBUS, connect OnStar-of-the-future, add a dash of Android, et voila!  A recipe that security nightmares are made of.

Perhaps most worrying of all is the lack of response this seems to generate among the press and industry.  After demonstrations like these, automakers press on with their tabletization of cars, and the press coverage either gushes, yawns, or decries the driving distraction issue – all seemingly oblivious to the real and obvious threat this poses.

These threats bear many similarities to the SCADA threats that have finally started to receive long overdue attention and will be the subject of a future post.  I haven’t found many references, but I know that Mudge has been waving his hands about the threat these vulnerabilities pose to our infrastructure (nuclear power plants, electric grid, etc.) for many years – long before Stuxnet came along – and is now in a position to do something about it.  Richard Clarke’s recent fictional books also contain many warnings about potential worst case SCADA attack scenarios.

Let’s not wait a similarly long time to act on this problem.  It’s time for us to wake up and smell the new car smell – carrying a faint whiff of ozone and solder.  We can’t afford to wait for the well-established pattern to unfold, where hypothetical security threats play out in startling reality.

Let’s discriminate between technical progress and security regress.  At consumer shows like CES, we need to start exercising real consumer power and demand that security come first!

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US