Car Hacking: Time to dial down the panic meter

CARS being hacked make for great headlines. It provokes sinister images of a menacing hacker typing away on a keyboard in darkness, and then having the ability to turn your brakes off while you barrel down the highway – scary stuff.

But it is time to put down the tin-foil hat, because Hackers cannot – and are not about to – cause the biggest crash the M1 has ever seen. No unmodified car that the hackers didn’t have physical access to has been hacked in any meaningful way – ever. There have been instances where some running systems within the car can be played with – namely the Nissan Leaf’s air-con can be controlled remotely, and the Mitsubishi Outlander hack which was reported recently was only limited to systems such as the alarm, charging, and heating. Neither of these hacks posed any safety threat to owners of the car, and were actually carried out by a dedicated team of white hat (good guy) hackers trying to find flaws.

But let’s talk about the big scary hacks – the ones where the steering, braking and acceleration of a car is controlled remotely.

The poster boy for this type of hack is the Jeep Cherokee, which was ousted by a team of US hackers as being rather vulnerable. Here’s the catch, however; The car that was hacked was owned by the hackers, who had spent months preparing the car by updating the operating system to include key programs, and then flashing the software into the car’s computer.

5

So extensive was the work needed to allow the team to hack the car, the ECU had to be replaced twice after botched attempts. A Fiat Chrysler Australia representative stressed to WhichCar that the technology which was hacked in the US wasn’t even installed on cars sold in Australia.

“That was exclusive to US vehicles, and in fact the technology doesn’t exist anywhere outside the North American market,” the spokesperson said.

Tesla was reported as another automaker to fall foul of hackers last year, when outsiders were able to shut the car off and force it to stop. Again, though, this was a white hat hack: they had access to the car they eventually hacked, and were only successful after disassembling the dash to fiddle with the inner workings of the onboard computer, including SD card slots and USB ports – parts of the car only Tesla technicians were meant to access.

Currently then, if you’re worried about hackers taking over control of your car, the only thing you need be looking out for is a team of people pulling your car apart for weeks on end.

Regardless, Tesla Australia spokesperson Heath Walker explains the California-based company is actively working to safeguard against any potential threats.

5

Walker was quick to point out just because one manufacturer is vulnerable, not all are.

“It is worth noting that other models are set up very differently to the Model S in terms of connectivity,” Walker told Which Car.

“Not every car and its connectivity is the same. If one car is hacked, it doesn’t mean that all cars with connectivity will be hacked.”

Walker added Tesla has taken on input from security experts on what it can do as a manufacturer to improve cyber security.

“From recent investigations and research around the hacking of vehicles, the three main things that were recommended for vehicle manufacturers were the separation of the IT System from the driving system – which Tesla does; software updates – which Tesla does to be able to fix any breaches in security instantaneously; and finally, identifying secure codes with each communication with the vehicle… similar to what a bank would do, whereby [when] you undertake a transaction with a bank you get an individual security code as opposed to a repetitive code – and we also do that.

“So Tesla has ticked all the three recommendations in terms of what the experts in this field say.”

5

Tesla has built a dedicated team to work on cyber security, poaching Chris Evans from Google’s dedicated team of hackers – Project Zero –, as well as long-time Apple employee and former head of OS Security Aaron Sigel.

“That just shows that by going out and recruiting the best in those areas… how seriously we take those matters,” Walker added.

“I don’t think it is unique to vehicles, I think that any online tool has the ability for security breaches, and thus we have to be proactive in that field and are taking steps proactively. We are constantly testing our security in advance of release to ensure that we are ahead of the game. I think the fact that we can provide over the air software updates which can include security measures is a huge advancement in automotive technology.”

However, just because hacks like those that have been reported can’t happen, it doesn’t mean manufacturers shouldn’t be wary.

The Australian Cyber Security Centre (ACSC) is responsible for leading the Australian Government in regards to cyber threats, and says car manufacturers need to be serious about security.

5

“If you are connected to the internet, you are vulnerable,” ACSC coordinator Clive Lines told WhichCar in a statement.

“As many devices and control systems now connect to the internet or are designed to be accessed via wireless for maintenance purposes, security must be a key consideration in the design and operation of these systems.

“As with all software, ACSC recommends that security patches and software updates be applied as soon as possible.

"Motorists should also seek specific advice from their car manufacturer when they learn of potential vulnerabilities.”

In conclusion, you don’t have to worry about a grimy teen with a laptop cutting the brakes on your car at all. At worst, if someone wanted to play with your car, they can fiddle with the air-con, but this is only on select models, and even then, these security holes are being patched rapidly.

But cyber security is a growing topic when it comes to new cars. Manufacturers need to take the issue seriously when building models with internet connectivity, and be ahead of the game. As a consumer, however, you don’t have much to worry about at all.