Become a Patron of Ask Leo! and go ad-free!
Hi, everyone. I’m Leo Notenboom for askleo.com. In a couple of months I’m going to be getting a new car, and we were talking about it, actually, this morning, and my wife asked me a really interesting question: Could my new car get hacked?
Well, I had to think about it for a second, but of course, the answer is “yes”. It actually could. In fact, most cars, produced today are full of technology and full of computers of various sorts. They’re also more and more commonly being connected continuously to the internet for everything from streaming music to telemetry to progress tracking to any number of different things that might end up being useful in terms of functionality provided that requires online connectivity.
So naturally, there’s a concern that one might hack a car. Now this comes at a particularly interesting time because of the recent internet of things hack or the Denial of Service attack that turned out to be basically not so much instigated but enabled by an incredible number of hacked simple devices that happen to be connected to the internet – the internet of things.
So, my wife actually asked well, does your car, then, become one of the things on the internet? Well, yes, it actually does. Do we consider to be alongside the toaster of the internet-connected toaster? That I’m not sure of. I have a hard time thinking of it as part of the internet of things, but what’s relevant here, of course is that at times, it will indeed be connected to the internet.
Anything connected to the internet is potentially a target. Now, when it comes to cars, to be honest, hacking isn’t anything really new. Even for non-connected cars, what most cars have these days is something called OBD, Onboard Diagnostics. If you’ve ever taken a look under your front dashboard, you may very well find a connector if some sort. That connector actually connects to a communications bus that connects all of the various and sundry computers that may be part of your car.
Like I said, if you’ve got a car even less than 10 years old, chances are it’s got at least one and potentially several different computers on board. They’re all connected and they all talk to one another over this bus. Now, since it’s not connected to the internet, there’s not really a lot of concern about random connections or random hacking happening to it. I mean on this surface it would seem that one would need to actually have physical connectivity to that bus.
Well, two things: One, that kind of implies that security wasn’t a big consideration when the original OBD was created. Second, what are we plugging into that connector? Devices that can track; devices that end up connecting either to your mobile phone or to the internet directly, and as a result, yeah, there’s path.
It’s not an easy path; it’s not an easy path to be hacked, and it’s not something that I’ve even heard of any proof of concept, true remote hacking, but I do know that using devices connected to the On Board Diagnostic bus, that yes, those kinds of cars have been hacked.
More interestingly, there have also been proof of concepts where internet connected vehicles have indeed been hacked. We’ve seen a couple of news reports where control of the vehicle was actually wrested away from the driver, so that the car came to a stop, or the car basically as proof of concept, it was very benign, the car came to a stop and slowed down and maybe even turned off to the side of the road but the bottom line is the driver did not have control of his vehicle, a remote hacker did.
Now, the question, of course, is this something to worry about? And of course, my answer is it’s not something to panic about. It’s something to be aware of for sure. When we take a look at the internet of things responsible for the Denial of Service attack a few weeks ago, one of the things we realize is that these devices were never really created with thorough security in mind. The phrase I use is, “Well, who wants to hack a toaster?”
I mean, great, you can make my toast pop up earlier and come out brown when I wanted it light or something like that. What we didn’t realize at the time those devices were being created is not only were they interesting devices for whatever reason they may be, but they have computers in them, and those computers can be used to do things elsewhere on the internet. So rather than screwing around with your toast or your security footage or your refrigerator or your whatever, what was really happening was those small computers in those devices were being used to remotely cause problems elsewhere.
The bottom line for those kinds of devices is that security was either not present or it was an afterthought. It was the kind of a thing where they came along and suddenly realized, well, you know, now that we’ve got this wonderfully functional device here, I guess we should make it secure.
The good news for major devices of which I will throw cars, automobiles into, is that it’s long been known that they are interesting targets for hacking. Not necessarily for this internet of things style hacking where they end up using the computer in the car to damage elsewhere, but the actual ability to do damage within the car itself has always been on the minds of the individuals who are creating the software, designing the software, designing the cars, so that security is kind of, sort of baked in from the beginning. Now, that’s not a panacea; that’s not a silver bullet.
The problem, of course, is with the internet of things approach, security is an afterthought. With the more serious devices, like cars and computers, laptops and so forth, security is at least being baked in. It’s at least being attempted. The problem is we are once again then at the mercy of the ability and the expertise of the individuals doing the baking – the people who are actually designing security and actually implementing in all those devices.
As we’ve seen, there’s a range. There are really secure devices with security thoroughly and truly baked in from the beginning and there are devices that claim to be secure which basically aren’t. Not because they didn’t attempt, but because they just really weren’t very good at it, or they weren’t thinking of the entire security picture.
Security in order to be done well, really needs to be part of a device’s architecture from the beginning. Now that we know that security is an issue for automobiles then presumably the auto manufacturers are “doing the right thing” to actually make sure whatever it is they have, whatever connectivity they use, whatever functionality they expose is done in a way that is secure and protects the driver and the vehicle as well as potentially using the computers on that vehicle as internet of things attack devices.
So, what’s a poor user to do? Well, as we saw a couple of weeks ago when I wrote about the internet of things debacle, in some ways there’s not a lot can necessarily do. You know, we’ve talked about staying behind a router, changing the default passwords for those devices for which you can or have a default password. Those kinds of things.
But when it comes to other devices, in fact when it comes to all devices, the most important thing you can do is stay up to date. This is nothing new; these are techniques and approaches that we’ve talked about for computing systems – Windows, Apple, Linux – for years. Keep the software up to date, because the software reflects the current understanding of the threat landscape. The software reflects the current fixes to stop problems that are coming across the threshold, so when it comes to other devices, be it I suppose your internet of things refrigerator or your car, or your laptop, or your desktop, keep it up to date.
But also, stay aware. Keep an eye on what’s going on in the landscape for your specific device. Make sure you understand what is and is not a threat. If you hear about something, question it. If you have a vehicle, make sure that it gets regular maintenance. Regular maintenance for vehicles today includes software updates. And that’s something that’s as important for today’s cars as it is for today’s computers.
But like I said, the best thing you can do is to stay informed. Keep watchful. Everything from consumer watchdogs to actual manufacturer websites to the sources where you purchase whatever it is we’re talking about, they should be able to provide current information on the actual landscape for whatever it is you have and presumably, provide updates (assuming you have a device that is updatable) and then basically resolve the issues before they become an issue for you.
When it comes it back to my car, well, to be honest, I would honestly be more concerned about a random security camera that I bought off the shelf in a big box store, than I would be about the cars. Security cameras, for example, clearly have had some issues in recent weeks. Cars, not so much. Not yet anyway and that’s why I’ll also be paying attention to the manufacture and the dealer from where I got the car for the latest information on anything that might be relevant to its safety and its security.
So as always, I would love to hear what you think. What kind of devices are you using that fall into this category? What is updatable and not updatable? If you run across a device that you find out has a security issue and it can’t be updated, are you ready to throw it out? Is it an issue for you?
As always, I’d love to hear what you think. Let me know down in the comments below this article. If you’re watching this anywhere but on askleo.com, this is the place, here’s the link to this video posted on askleo.com. That’s where all the comments are moderated. I read every single one of them. I’d love to hear from you. Until next time, I’m Leo Notenboom for askleo.com. Remember stay safe, have fun and don’t forget to back up. Take care.
Was that video interesting? Helpful even? Well then I could use your help. I’ve got a Patreon project underway. You’ve got an opportunity to contribute and help support askleo.com to help me do what I do. Help more people, answer more questions, produce more information about technology that hopefully can help you and others use it more effectively and with more confidence.
Visit Patreon.com to learn more. Among other things, you get rewards depending on the level of your patronage. So check out Patreon.com/askleo to learn more and help contribute to askleo.com. Thanks!
Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.
I'll see you there!