Earlier this year we reported on research from the University of Washington and the University of California, San Diego, that showed how researchers were able to break into vehicle networks or change features—in some cases, while the vehicle was in motion.
That report is now available, and includes some eye-opening examples of what could be done remotely with some determination.
"In the United States, the federally-mandated On-Board Diagnostics port, under the dash in virtually all modern vehicles, provides direct and standard access to internal automotive networks," said the report authors. "User-upgradable subsystems such as audio players are routinely attached to these same internal networks, as are a variety of short-range wireless devices (Bluetooth, wireless tire pressure sensors, etc.)."
Safety-critical systems (such as stability control or engine control) actually haven't been isolated from non-safety-critical systems (such as entertainment systems), the report reveals, and systems such as GM's OnStar services, which allow remote access already, might make them especially vulnerable.
Other concerns, looking many more years ahead, involve so-called vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2X) systems, which would share (and in some cases modify) certain vehicle details and functions so as to help smooth traffic flow and prevent accidents.
The report also expresses concern over those who plan to use the connectivity of their vehicle as a "platform"—for instance Ford, which will make its Sync system usable by third-party applications. Furthermore, there's an open-source vehicle infotainment system under development.
Researchers looked at what a malicious attacker could do either with physical access—by inserting a component into an OBD-II port—or with one of many wireless interfaces, either through built-in vehicle connectivity or a smartphone interface. Methods varied from what they called 'targeted probing' (learning remote controls) to 'fuzzing' (simply disrupting operation) or 'reverse engineering' for more specialized tasks.
Yet another report, from researchers at the University of South Carolina and Rutgers found tire-pressure monitoring systems easy to break into—suggesting that it would be easy to spoof a warning and cause a driver to pull over and inspect the vehicle, making them vulnerable to theft.
In a Q&A session with The Car Connection this past week, Ford's tech communications officer Alan Hall responded that there are multiple measures in place to prevent hacking, and though vehicle data is shared with Sync, it's a one-way transfer through a firewall.
The examples found by researchers sound, as of yet, isolated instances. However, an analyst at the market-research firm iSuppli pointed out to CNET, as part of an excellent piece looking into these security issues, while vehicle hacking isn't an issue yet, it could be in five years, so automakers had better prepare and build security into vehicles now.