Hack attack: How vulnerable is your vehicle?

January 23, 2015

This week, news broke that two million people who use Progressive Snapshot (a small device that tracks a car’s path to help determine its car insurance rate) may be vulnerable to hacking. But Snapshot drivers aren’t the only ones who are open to a potential hacking attack: Two hackers who demonstrated in 2013 how they could hack into the steering and brakes of two cars using only laptops connected to the vehicles have also offered up research on other cars’ vulnerabilities.

A tool Progressive Insurance uses to monitor driving habits is eminently hackable – leading to more questions about the computerization of vehicles. Image from AlBargan.

The recent Progressive issue was discovered by researchers in Florida who were able to hack into a network that supports control of “critical vehicle functions” — braking, steering, and throttle inputs. Progressive customers can choose to plug in a small device called a dongle, which plugs into a car’s OBD-II diagnostic port and gathers info on mileage, times of use, and how hard its driver brakes. That data is used to determine how safe a driver drives, and can lower car insurance premiums by as much as 30%.

“What we found with this device was that it was designed with no security features,” Dale Peterson, founder and CEO of Digital Bond Labs, explained to Autoblog. “It wasn’t even based on basic security coding practices… It’s a house that has no doors, no windows and no fences, with valuables inside.” Progressive responded in a written statement: “To be clear, the researcher was not able to control any vehicle functions and we do not have evidence that anyone else has been able to do so. However, we take security very seriously and intend to investigate the matter thoroughly.”

But even cars that aren’t equipped with Snapshot may be hackable. Charlie Miller and Chris Valasek — who had hacked into a Toyota Prius and Ford Escape — presented research on their analysis of cars’ susceptibility to hack attacks last summer. The pair analyzed 24 different cars to determine how a remote attack might unfold, and created what Wired calls “a kind of handbook of ratings and reviews of automobiles for the potential hackability of their networked components.” Valasek, who is director of vehicle security research at security firm IOActive, explained how hacking potential varies by vehicle: “It really depends on the architecture: If you hack the radio, can you send messages to the brakes or the steering? And if you can, what can you do with them?”

The “handbook” is more a list of potential flaws than of hard-and-fast facts. The research included no hands-on hacking; instead, they registered for mechanics’ accounts on carmaker websites, then downloaded cars’ technical manuals and wiring diagrams, and scrutinized the computer networks outlined in those manuals and diagrams. Their most hackable cars include the 2014 Infiniti Q50, the 2014 Jeep Cherokee and the 2015 Cadillac Escalade. (Check out this chart for more details.)

The cars’ rankings were determined by 1) the scope of their “wireless attack surface” (Bluetooth, Wi-Fi, keyless entry systems, and other radio-connected features which could be used by a hacker to get into the car’s network); 2) the vehicles’ network architecture and how easy it could be for a hacker to access more significant systems like steering and brakes; and 3) vehicles’ “cyberphysical” features, such as parking and lane assist, which might be used to “transform a few spoofed digital commands into an actual out-of-control car.”

As futuristic — or theoretical — as it might sound, car hacking is possible with current technology. Valasek and Miller, who have shared their research with both the Department of Transportation and the Society of Automobile Engineers, aim to create enough public pressure that automakers will address security gaps. “Our main takeaway is that companies should consider security before adding pieces onto an automobile, especially when those pieces have remote connectivity or cyberphysical attributes,” Valasek told Wired.

Check out the full report, available online here: Survey of Remote Attack Surfaces.