A new paper on the security of internet-equipped automobiles shows them to be, well, frighteningly insecure. Researchers were able to remotely cut the breaks, stop the engine and lock out the driver on a typical, new-model networked vehicle.
Thinking back to the insecure early days of networked computing, a team of computer security specialists from the University of Washington and the University of California, San Diego thought it might be worth checking out how new automobiles - increasingly featuring computers and networked control systems - stood up to attempted hacking. Not very well, it seems!
The researchers successfully breached two test cars that were representative of the computer network control systems that have proliferated in most cars today:
We demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input - including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.
I know some people get off on road rage and all that, but I generally like my driving to be as free of adversaries as possible. Even worse, the team was successful in deploying "composite attacks", in which they were able to "insert malicious software and then erase any evidence of tampering after a crash".
The marriage of cars and computers seems natural, or at least inevitable, but the security of these computers is literally a matter of life and death. As one team member said, "We found ourselves thinking we should try to get in front of this before it suddenly becomes an issue." [NYTimes]
Image credit MNicoleM