Car hacks are an acutely realistic threat, but are UK drivers at risk? We ask the experts with insider knowledge of the automotive and tech industry whether carmakers are investing in the right security, and whether recent reports can be written off as scaremongering.
Two hackers took control of a Jeep last week in a demonstration for tech magazine Wired - the latest in a series of embarrassing showcases of vulnerabilities in various luxury brand’s models.
Techworld recently revealed Jaguar Land Rover was recalling thousands of its 4x4 models due to a software flaw that saw car doors unlock and in one case fling open mid-journey. Defects like these are increasing as cars become reliant on software, LTE and WiFi networks.
Are car manufacturers doing enough?
Amidst the media scrutiny, expert Pete Highton believes car brands are making improvements in car security. Highton is principal staff engineer at Freescale semiconductors and works with McLaren’s Formula 1 cars, amongst other automotive manufacturers.
Freescale’s semiconductors form part of the microprocessors that McLaren uses to learn more about its car, a technology which is used by most carmakers as they become increasingly digital. Samsung, Intel, Qualcomm and Sony make similar chips, which are primarily found in smartphones.
“With the advent of the connected car and continued extension of that connectivity from General Packet Radio Service (GPRS) to 3G, 4G and WiFi there has been a period over the last three to four years where car manufacturers have had to re-evaluate their approach to car security,” he told Techworld.
Securing these connections involves encryption, decryption and authentication modules on microcontrollers and microprocessors in the car, he explained.
“No car manufacturer wants the dubious honour of being the first hacked car. As a result the ‘mission critical’ parts of the electronics (the engine control unit, for example) are not exposed to wireless interfaces directly.”
However, hackers are able to intercept data sent from the engine control unit to the car’s communication gateway – usually the infotainment system, like Apple’s CarPlay. The security in place here is on the same level as algorithms that run on your laptop or tablet computer.
Many car brands have their own version of a "cloud platform" that drivers can sign into and use to check tyre pressure and use GPS through their dashboard, as well as monitor aspects of the car on their smartphone.
Some, like Ford, have even announced over-the-air software updates, similar to a new OS for your smartphone, following in Tesla's fashion. Tesla is already gearing up for a driverless feature update that will allow auto steering, as part of its 6.2 version OS which prompted concerns over further man-in-the middle attacks.
“Looking at what manufacturers are currently targeting in terms of in-car security, I would suggest that they have taken internet security as a good starting point and aimed at the next level. For example, implementing 256-bit encryption rather than 128-bit, which is still very popular within web security," Highton said.
Doesn't everyone encrypt?
Such "simple" encryption methods escaped BMW last year. It was forced to patch 2.2 million cars that link to its ConnectedDrive platform after hackers were able to unlock cars using their smartphones in a simple “man in the middle” attack, in which a thief sends information from a server (a mobile phone perhaps) pretending to be a BMW and fools the car into unlocking. The carmaker responded with a patch to encrypt that data, and released a statement that it said would offer security to “rival online banking”.
The move raised eyebrows amongst the cyber security community, which has long considered encryption “absolutely bog-standard good practice” when using or developing software.
Remote access to cars on the road
Theft aside, the most pressing concern is an attack on a moving vehicle and the ability to take control of a car remotely. Highton says this is only possible if hackers have access to a car for several days and have a “serious amount of processing available to attempt to de-crypt the encrypted data,” presuming it is encrypted.
One big assumption is that hackers could get the car, or the electronic units at the very least, up and running. Highton says that the latest version of microprocessors (which will be in the car) come with tamper detection, which will render a unit useless if it thinks it has been intercepted.
Of course, not all cars may be using the latest releases from semiconductor vendors. Rival firm NXP’s chief technology officer, Lars Reger, said that ultimately, it’s up to car makers and their suppliers to invest in security like encryption and intrusion detection systems.
In addition, cars need to be considered on a case-by-case basis.
He said: “The connected vehicle must be secure from hackers, and all messages must be properly authenticated. Different systems and networks within the car have different vulnerabilities and attack points and therefore will likely require different levels of security. In some cases, software security may be sufficient but other cases will require much stronger tamper proof security solutions.”