The infamous Charlie Miller and Chris Valesek set the media abuzz with concerns that cars are going to be hacked remotely while in motion. In truth, there is very little chance of an average American car being hacked unless it owned by a white hat cyber security company or university.
The hacking duo have a flair for the dramatic, sending a Wired contributor into a ditch by taking over control of Jeep Cherokee. Before you panic you should know a few things about how the hackers were able to accomplish their dastardly feat.
The hackers did the following:
- They had physical access to the car before the experiment.
- Miller posted on his Twitter account that he “bricked the headunit on his Cherokee and had to replace it in December 2014.
- They had the IP address of the vehicle.
- They were working on it the hacking for a long time.
- They had to rewrite the code of the CAN bus for their hack to work.
- They picked a car that they rated as the most vulnerable which they announced in August of 2014.
- They picked a dramatic situation to get the most media attention possible.
- They are security professionals with exceptional coding skills.
- They have the time and money to accomplish the task.
Valesek said at the Connected Car Expo that he thought hacking cars was fun. Both Miller and Valesek are on the board of IO Active, a security firm that now has an automotive practice to deliver cyber security strategies and risk mitigation for automakers and Original Equipment Manufacturers (OEMs). IOActive has also invested in a garage designed for researching vehicle and transportation security. They have the time and equipment most other hackers don’t have. They also have a motivation to make money from the automakers, hacking events and speaking engagements.
“Yes, there is a growing concern,” Frost & Sullivan analyst Praveen Narayanan told USA Toady, “But let’s not get too much ahead of ourselves. All of this noise is coming from the security community – the community that wants business at the end of the day.”
The vulnerability has been patched through an update.
If you’ve heard of one of our vehicles being #hacked, don’t worry. We have a #patch http://t.co/UjjpH6aYRc #USonly
— FCA Corporate (@FCAcorporate) July 22, 2015
The last time there was a remote hack, it was with a thinly disguised late-model Chevy Impala on 60 Minutes. Analysts agreed that there was very slim chance that any car on the road would be hacked. The system that was hacked is no longer in use.
There have been very few instances of car hacking while a vehicle is moving except by organizations that specialize in cyber security or Universities. It has gotten more difficult for thieves to steal connected cars, especially with ways to track them via apps and devices like LoJack.
Car break-ins via a power amplifier can be prevented with a Farady bag or device for as little a few dollars on Amazon.
Mission Secure remotely hacked a connected car via key fob at 63 meters and also showed a solution to prevent the problem. The company had physical access to the car prior to the tests.
BT Assure security launched its “ethical hacking” service to improve connected car security. The service will hack and attack connected vehicles to help automotive players develop security solutions
Argus Cyber Security showe AUTO Connected Car News a way to stop headunit hacks at CES International.
Automakers are aware of cyber security threats and are working on ways to help each other.
At the 2015 SAE Battelle CyberAuto Challenge automakers announced an added layer of cyber protections by launching an Auto ISAC that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber threat information and potential vulnerabilities in motor vehicle electronics or associated in–vehicle networks.
Automakers are very secretive about security because they don’t wan the hackers knowing what they are doing.
Today, Daimler CEO Dieter Zetsche said that German automakers have bought Nokia HERE to better control security.
“We have the goal of designing security into the software,” said Zetche during second quarter financial results call.
Since there have been so few instances of remote hacking, you are more likely to get struck by lightning. According to National Lightning Safety Institute, the odds are 1 in 280,000 of being struck by lightning which could blow out the car’s computer and infotainment system, blocking hackers instantly.