By Paul Mutter. Updated December 14, 2016.
Imagine a driverless cab that locks itself and delivers would-be fare jumpers to the nearest police precinct. But also imagine a driverless cab that can be reprogrammed to drop off its victim at the prearranged point for a mugging. These are not mere sci-fi fantasies, but possibilities that have to be accounted for as more and more vehicles are upgraded to run smart systems and autonomous operations.
In fact, the idea of a car that locks criminals inside is already here. According to the Seattle Police Department Blotter, a carjacker was rudely surprised when police called the stolen sedan in and, “BMW employees were able to remotely lock the car’s doors, trapping the suspect inside.”
This is one of the many new security features trumpeted for the 550i series of luxury cars, which includes “Stolen Vehicle Recovery” remote services, and a “Remote Door Unlock” option. (The 550i also has a remote trunk lock and panic button, but given that the thief didn’t have any means of accessing these, he was stuck, unable to get out unless he shattered a window.)
Before this, BMW had the misfortune of being in the cyber security search results due to a now-patched vulnerability in its firmware. That flaw made it possibly for unauthorized parties to remotely unlock doors. And BMW isn’t the only automaker to face such troubles: Nissan, Fiat, Chrysler, Volkswagen, and Tesla have, among others, all had to deal with potential issues. We can expect to see vehicle recalls for cyber security reasons, alongside traditional problems like airbag deployment. In fact, with airbags now wired into the car’s OS, we’re starting to see recalls due to software glitches.
Hacked at Any Speed?
It should be noted that some of the attacks that have been highlighted are only possible via a combination of certain conditions -- like drivers running older versions of software they haven’t updated with security patches -- and the use of specialized malware that can shut down or override more important systems, like braking. More likely, though, that access would be used to run down the battery by wasting electricity.
Connectivity software, like the kind meant to stymie thieves from driving off with a vehicle, can be vulnerable too: By gaining access to companies’ databases, thieves can give themselves full access to any car they have identification numbers for. Additionally, there are special tools, “used to test cars, trucks, minivans and SUVs,” according to Car Complaints, that, “use keyless remotes and push-button ignitions” to find vulnerabilities but can be repurposed to open, start or stop vehicles.
Other hacks are even more general, with researchers showing that they can unlock a wide range of cars at will by purchasing off the shelf radio devices to intercept and write over wireless key signals. The interceptors, with some deft engineering, can defeat many basic cryptographic measures in use today. Compared to the prospect of cutting the brakes on an SUV by way of a fake app store email, this is a much more tractable problem to solve. Manufacturers are already, as outlined by a report from Car and Driver, mandating authentication pins or other security commands for the most important functions on a vehicle.
The little extra time this requires goes some way to ameliorate vulnerabilities.
(And, of course, there’s the fact that the more IoT devices there are in cars, the more IoT devices there are period, and the more IoT devices that aren’t properly secured, the more botnet capacity there is to launch denial of service attacks.)
What’s less clear, in the US but also other countries, is just who is in charge of setting down industry-wide standards. According to cdt.org, there are at least three agencies in America, the National Highway Traffic Safety Administration (NHTSA), the Federal Trade Commission (FTC), and the Federal Communications Commission (FCC) that have parts to play. Then there are hosts of state, local, and federal government offices, plus the manufacturers themselves, to consider. Even more so than the technical problems, all of these parties, and motorists, are going to have to buckle up to set standards up as we look not just at droid drivers, but the larger smart car market as we edge towards the age of autonomous cars.