Become a Patron of Ask Leo! and go ad-free!
Transcript
Hi, everyone. I’m Leo Notenboom for askleo.com. In a couple of months I’m going to be getting a new car, and we were talking about it, actually, this morning, and my wife asked me a really interesting question: Could my new car get hacked?
Well, I had to think about it for a second, but of course, the answer is “yes”. It actually could. In fact, most cars, produced today are full of technology and full of computers of various sorts. They’re also more and more commonly being connected continuously to the internet for everything from streaming music to telemetry to progress tracking to any number of different things that might end up being useful in terms of functionality provided that requires online connectivity.
So naturally, there’s a concern that one might hack a car. Now this comes at a particularly interesting time because of the recent internet of things hack or the Denial of Service attack that turned out to be basically not so much instigated but enabled by an incredible number of hacked simple devices that happen to be connected to the internet – the internet of things.
So, my wife actually asked well, does your car, then, become one of the things on the internet? Well, yes, it actually does. Do we consider to be alongside the toaster of the internet-connected toaster? That I’m not sure of. I have a hard time thinking of it as part of the internet of things, but what’s relevant here, of course is that at times, it will indeed be connected to the internet.
Anything connected to the internet is potentially a target. Now, when it comes to cars, to be honest, hacking isn’t anything really new. Even for non-connected cars, what most cars have these days is something called OBD, Onboard Diagnostics. If you’ve ever taken a look under your front dashboard, you may very well find a connector if some sort. That connector actually connects to a communications bus that connects all of the various and sundry computers that may be part of your car.
Like I said, if you’ve got a car even less than 10 years old, chances are it’s got at least one and potentially several different computers on board. They’re all connected and they all talk to one another over this bus. Now, since it’s not connected to the internet, there’s not really a lot of concern about random connections or random hacking happening to it. I mean on this surface it would seem that one would need to actually have physical connectivity to that bus.
Well, two things: One, that kind of implies that security wasn’t a big consideration when the original OBD was created. Second, what are we plugging into that connector? Devices that can track; devices that end up connecting either to your mobile phone or to the internet directly, and as a result, yeah, there’s path.
It’s not an easy path; it’s not an easy path to be hacked, and it’s not something that I’ve even heard of any proof of concept, true remote hacking, but I do know that using devices connected to the On Board Diagnostic bus, that yes, those kinds of cars have been hacked.
More interestingly, there have also been proof of concepts where internet connected vehicles have indeed been hacked. We’ve seen a couple of news reports where control of the vehicle was actually wrested away from the driver, so that the car came to a stop, or the car basically as proof of concept, it was very benign, the car came to a stop and slowed down and maybe even turned off to the side of the road but the bottom line is the driver did not have control of his vehicle, a remote hacker did.
Now, the question, of course, is this something to worry about? And of course, my answer is it’s not something to panic about. It’s something to be aware of for sure. When we take a look at the internet of things responsible for the Denial of Service attack a few weeks ago, one of the things we realize is that these devices were never really created with thorough security in mind. The phrase I use is, “Well, who wants to hack a toaster?”
I mean, great, you can make my toast pop up earlier and come out brown when I wanted it light or something like that. What we didn’t realize at the time those devices were being created is not only were they interesting devices for whatever reason they may be, but they have computers in them, and those computers can be used to do things elsewhere on the internet. So rather than screwing around with your toast or your security footage or your refrigerator or your whatever, what was really happening was those small computers in those devices were being used to remotely cause problems elsewhere.
The bottom line for those kinds of devices is that security was either not present or it was an afterthought. It was the kind of a thing where they came along and suddenly realized, well, you know, now that we’ve got this wonderfully functional device here, I guess we should make it secure.
The good news for major devices of which I will throw cars, automobiles into, is that it’s long been known that they are interesting targets for hacking. Not necessarily for this internet of things style hacking where they end up using the computer in the car to damage elsewhere, but the actual ability to do damage within the car itself has always been on the minds of the individuals who are creating the software, designing the software, designing the cars, so that security is kind of, sort of baked in from the beginning. Now, that’s not a panacea; that’s not a silver bullet.
The problem, of course, is with the internet of things approach, security is an afterthought. With the more serious devices, like cars and computers, laptops and so forth, security is at least being baked in. It’s at least being attempted. The problem is we are once again then at the mercy of the ability and the expertise of the individuals doing the baking – the people who are actually designing security and actually implementing in all those devices.
As we’ve seen, there’s a range. There are really secure devices with security thoroughly and truly baked in from the beginning and there are devices that claim to be secure which basically aren’t. Not because they didn’t attempt, but because they just really weren’t very good at it, or they weren’t thinking of the entire security picture.
Security in order to be done well, really needs to be part of a device’s architecture from the beginning. Now that we know that security is an issue for automobiles then presumably the auto manufacturers are “doing the right thing” to actually make sure whatever it is they have, whatever connectivity they use, whatever functionality they expose is done in a way that is secure and protects the driver and the vehicle as well as potentially using the computers on that vehicle as internet of things attack devices.
So, what’s a poor user to do? Well, as we saw a couple of weeks ago when I wrote about the internet of things debacle, in some ways there’s not a lot can necessarily do. You know, we’ve talked about staying behind a router, changing the default passwords for those devices for which you can or have a default password. Those kinds of things.
But when it comes to other devices, in fact when it comes to all devices, the most important thing you can do is stay up to date. This is nothing new; these are techniques and approaches that we’ve talked about for computing systems – Windows, Apple, Linux – for years. Keep the software up to date, because the software reflects the current understanding of the threat landscape. The software reflects the current fixes to stop problems that are coming across the threshold, so when it comes to other devices, be it I suppose your internet of things refrigerator or your car, or your laptop, or your desktop, keep it up to date.
But also, stay aware. Keep an eye on what’s going on in the landscape for your specific device. Make sure you understand what is and is not a threat. If you hear about something, question it. If you have a vehicle, make sure that it gets regular maintenance. Regular maintenance for vehicles today includes software updates. And that’s something that’s as important for today’s cars as it is for today’s computers.
But like I said, the best thing you can do is to stay informed. Keep watchful. Everything from consumer watchdogs to actual manufacturer websites to the sources where you purchase whatever it is we’re talking about, they should be able to provide current information on the actual landscape for whatever it is you have and presumably, provide updates (assuming you have a device that is updatable) and then basically resolve the issues before they become an issue for you.
When it comes it back to my car, well, to be honest, I would honestly be more concerned about a random security camera that I bought off the shelf in a big box store, than I would be about the cars. Security cameras, for example, clearly have had some issues in recent weeks. Cars, not so much. Not yet anyway and that’s why I’ll also be paying attention to the manufacture and the dealer from where I got the car for the latest information on anything that might be relevant to its safety and its security.
So as always, I would love to hear what you think. What kind of devices are you using that fall into this category? What is updatable and not updatable? If you run across a device that you find out has a security issue and it can’t be updated, are you ready to throw it out? Is it an issue for you?
As always, I’d love to hear what you think. Let me know down in the comments below this article. If you’re watching this anywhere but on askleo.com, this is the place, here’s the link to this video posted on askleo.com. That’s where all the comments are moderated. I read every single one of them. I’d love to hear from you. Until next time, I’m Leo Notenboom for askleo.com. Remember stay safe, have fun and don’t forget to back up. Take care.
♥
Was that video interesting? Helpful even? Well then I could use your help. I’ve got a Patreon project underway. You’ve got an opportunity to contribute and help support askleo.com to help me do what I do. Help more people, answer more questions, produce more information about technology that hopefully can help you and others use it more effectively and with more confidence.
Visit Patreon.com to learn more. Among other things, you get rewards depending on the level of your patronage. So check out Patreon.com/askleo to learn more and help contribute to askleo.com. Thanks!
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
I wish that I could read the article on “Can my car get hacked?”. I am deaf and rely on reading the transcripts, but this time I couldn’t get it. The button took me to AdChoices.
The transcript always comes a day or 2 after the video is uploaded. It’s up now.
The transcript is running late this week. Sorry. It’ll be here soon.
Hello, Leo, we nerdly-challenged and even apprentice nerds like me are ever grateful for your clear and incisive articles. So glad retirement was temporary. Hope the boss gives you time off. And a new Beemer. And month in Tahiti. Cheers, GWP
Given that I am my own boss, talking to myself is kinda frowned upon.
And, no, it’s not a Beemer that I’ll be getting. :-)
So far, cars require physical access to hack… But many manufacturers (GM, Audi, Tesla are three I’m grabbing off the top of my head) are including 4G cellular and WiFi connectivity built right in, so that the infotainment system can grab traffic and weather data, and do more complicated things like search for points-of-interest on Google (for example). And the software in those infotainment systems is, in most cases, being automatically updated — which is good for security updates, of course — but the fact that those computers can be remotely accessed by the manufacturer means they can be accessed by hackers, once those hackers figure out how to bypass the automaker’s security.
And *everything* in the car is connected by the CAN bus (Common Area Network). *Everything* can be messed with, once you have access to the CAN bus in a car. If you’re lucky, the hackers will just disable the car and prevent you from driving it. If you’re unlucky, they’ll take remote control of the throttle (*every* modern car has a throttle-by-wire system where your throttle pedal is not directly connected to the engine, but goes through a computer which in turn controls the engine) and cause it to run the engine at a very high rate of speed, potentially causing you to wreck and kill yourself.
At least computer hacking doesn’t cause deaths! Car hacking can *easily* do so. The auto manufacturers need to step up their security measures a great deal!!!
One other thing that comes to mind — software has a shelf-life. Microsoft stopped supporting Windows XP. They have listed an EOL (End Of Life) date for Windows 7 and Windows 8.1. Are the auto manufacturers going to do this with the software on our cars’ computers? Will there come a time when it’s just too bad for you because the manufacturer will not update the software, patching a recently-discovered security flaw? Your 8- or 10-year-old car becomes undriveable becuase the software is out of date? (Have you ever tried to use a 10-year-old computer program on a modern computer? You’ll know what I mean by “unusable”!). Classic cars are still on the road today, because there are no computers in them. Will modern cars simply be obsolete after 10 years, and we are absolutely forced to toss them out and buy new ones? Will there be no classic cars in the future, because today’s cars need new software to stay on the road, and there’s none available? That’s food for thought, at any rate…
I disagree with your opening sentence “So far, cars require physical access to hack”. Go to YouTube and search for “Jeep hack remote”. Have fun in watching the various video’s. That hack has been exposed and taken care of. How many similar hacks are available, and in what car models, remains unknown to the public.
“Cars, not so much. Not yet anyway.” – Hacking nowadays is all about bucks. Unless the bad guys figure out a way to monetize car hacking, it’s likely not to happen.
I don’t know that I agree. Kids seem to be more motivated by the “lulz” or the chance for social media notoriety. Couple that with WAY too much time on their hands in the summer and …
It certainly used to be the case that hacking/malware creation was the realm of pimply-faced kids seeking noteritety; these days, however, it’s the work of skilled coders in the employ of criminal organizations – and it’s all about the bucks.
People need to be aware that and external source can disable your car.
If you are behind on a payment you ignition can be disabled through your GPS system.
I think you’re confusing signals from a communications satellite with GPS satellites. Functions in a car cannot be disabled by your GPS system. It simply reads data from GPS satellites & maps coordinate data to a mapping system like Google maps. On the other hand, communications satellites such as those used by OnStar, Lo-Jack or BlueSky can communicate with your car if it has that function turned on & perform various functions such as disabling your car. The satellites can transmit a specific code sequence that your on-board computers receive & perform that specific requested function.
For some cars, certainly not all.
If cars can be hacked and controlled, this could be useful to the police and enable them to stop a car they were chasing instead of the dangerous car chasing and the potential for accidents that they involve.
It would be interesting if after a software update the brake pedal accelerates the car or turning the steering wheel to the left makes the car go right. This is not a silly notion. Just a matter of time. All it takes is a misplaced negative sign or a poorly selected variable name in the code.
“Security in order to be done well, really needs to be part of a device’s architecture from the beginning.”
Probably the most important thing you’ve said this week. I’ve promoted that for years (been in IT before it was called IT) and I’ve harped on security, mostly to deaf ears.
Thanks for saying it.
I find your items very helpful for just general understanding of topics around computers etc.
This on car hacking was particularly interesting because, as a bit of geek, I get lots of questions on security of IoT’s & particularly cars.
Keep up the good work including the transcripts.