Cars are getting increasingly cooler, with many new bells and whistles like cruise control and hands-free parallel parking added on year by year. But this also means that cars are increasingly reliant on onboard computers which in turn leads to the possibility of hackers finding their way into your car and having it do whatever they want it to. And although it might sound like the plot of a terrible romantic comedy, think about this: could a hacker hack their way into your heart? Possibly, as many newer pacemakers are set to a wifi signal. It’s a scary prospect, but one that we have to face.
Kathleen Fisher: We’re hearing a lot about the internet of things, how your many, many devices are becoming networked computers.
And many of these devices are a ten dollar thing that you buy and you put on your shelf and you have it for a year and you throw it away.
I think not a lot of attention is being paid to the security of those kinds of devices. In some sense the companies that are making them can’t afford to do it, but they can lead longstanding vulnerabilities.
The automotive industry is another interesting example. A typical American modern automobile has somewhere between 30 and 100 what are called “embedded control units”. An embedded control unit is just a computer. Some of them are very, very small and run very simple code native on the hardware.
Some of them are full blown Linux computers or Windows computers, and they’re networked. A modern car has four to five network connections where the computers on the car talk to computers outside of the car. So an example is: there’s a Bluetooth connection so that your cell phone can talk to the car so that you can play your music from your phone on the car or you can talk on the cell phone without having to use your hands. There’s also a telematics unit which is the thing that if you get in an accident will arrange to call 911 or have the paramedics come. That service which is really useful and it’s a great safety feature means that your car has a cell phone number and that it’s possible to communicate with your car over that cell phone connection. Hackers can use those network connections to remotely break in to the computer system that’s on your car, and white hat hackers have shown they can do that and then can then rewrite any of the software on the car, replace the code that was legitimately put there by the car manufacturer with whatever code they want to have there.
And a typical modern car pretty much all of the functionality of the car is now controlled by software. So braking is controlled by software because you really want to have antilock braking.
Acceleration is controlled by software because of cruise control. Like you really want to have a car that can do parallel parking for you. That means steering is under software control. The locks are under software control so you can push the key fob button and have your locks open. Essentially all of the functionality of cars are under software control. And for the most part that’s a really good thing. Having it be under software control means that you can get increased functionality. You can have improved safety features. You can get upgrades as the car companies figure out how to do things better. All of that’s really good.
The downside is that, because it’s controlled by software, if an attacker can come in and replace that software then they can control the braking and the acceleration and the locks and everything that was under software control.
So we’re starting to see theft rings, for example, that are using electronic hacking in order to steal cars more easily. Lloyds of London recently stopped insuring Land Rovers in England unless the Land Rovers were garaged in a locked facility because they were being stolen too frequently.
So that’s the kind of state of the art of the automotive industry. The question is well, why isn’t it better? So one starting point is: it’s really hard to get good security. You have to do tons of things right. It costs money. So the car industry could improve the security of their cars, and hopefully they will eventually. That improvement will cost them money and the car industry doesn’t have huge profit margins. They can’t really afford to invest in the security unless they can recoup the cost associated with that investment by passing the cost on to the consumer. So that means the price of the car is going to be higher.
So then why is the consumer going to go buy the car that’s more than the equivalent car from a different manufacturer?
Well typically the answer is how well you do advertising. You explain to the consumer why they’re getting more value for this extra cost.
The problem is if you imagine a car company starting an ad campaign to explain their car is more cyber-secure... most consumers these days probably think their car was already cyber-secure. They didn’t realize that their car could be hacked into. So the result of such an advertising campaign could, in fact, be to make people afraid to buy any new car whatsoever rather than causing them to buy a particular car. So I think an advertising approach to motivating consumers to pay slightly more for a particular car is not really viable. So that means all of the cars have to have, basically all of the companies have to do it at the same time. They all have to do this extra investment and basically the price of all cars goes up by a little bit.
Then there’s no longer this differentiation between manufacturers and consumers to be choosing between cars that all have roughly the same level of security.
Going back just a bit: Another reason why the car companies can’t advertise on the security is suppose one car company actually did go and invest a ton in making their cars more secure. And then they advertise their car was more secure. That’s kind of painting a big target on your back as far as the hacker community is concerned. Certain individuals would take that as a challenge, and they would go—you sort of get some number of credibility for hacking into any car, but if you hack into the car that is from the company that is advertising that their cars are secure you get way more credibility.
If they find a vulnerability and then publish it, that car all of a sudden is less secure than the other cars that might actually have more vulnerabilities, but no one has discovered it because the vulnerability is public and people know it exists and therefore can exploit it. So it’s this weird situation where although the car in some absolute sense is more secure, in a practical sense it’s less secure because there’s a publicly known vulnerability.
So advertising is bad both because it could scare away consumers entirely and it could direct hackers to your specific car, decreasing the security of that car as a result.
So we’re left with “how do you get sort of the car industry as a whole to produce more secure cars?” And that requires some kind of external motivation. They might decide to do it because it’s just the right thing to do. Typically companies are motivated by financial reasons. They usually can’t afford to do things just because they’re the right thing to do.
In terms of outside forces, one outside force would be government regulation. So, cars many years ago were very unsafe. Ralph Nader wrote famously “Unsafe At Any Speed,” and that prompted federal regulations.
There’s the five star safety crash rating system, for example, that created a regime where cars were tested for their safety and given scores and consumers could then use those scores in making their decisions. I think creating such a regime in the current political climate is unlikely.
Another possibility is the insurance industry might start to impose—put financial pressure on the car industry.
We saw that with the Lloyds of London refusing to insure Land Rovers that weren’t garaged in locked facilities because of electronic theft, that if the insurance companies start to notice that certain kinds of cars are getting hacked into with negative consequences for theft or for accidents they might increase the insurance premiums on that particular brand, and those insurance premiums might then drive consumers to cars that don’t have those characteristics. And that might then motivate the car industry to improve the security. That’s kind of a long chain, but at the moment I think that’s my best guess as to how we’ll get better cybersecurity in our cars.
I think the car industry is in some sense representative of many other industries. So like medical devices are another domain. Things like pacemakers and insulin pumps. They are relatively simple computer systems that are networked to other computers. Like it makes sense for a pacemaker to have a Wi-Fi device so a doctor can monitor how the heart’s doing. But once you have that Wi-Fi connection a hacker can use it to go in and modify the code in the pacemaker.
And so there are basically lots of examples of industries where things that previously weren’t computers at all are now not only computers but they’re networked computers, and over time those industries will need to accept that they’re network computers and start to apply security techniques so that the systems are more secure.