Can your car be hacked?
We all know you need to protect your computer against hackers, but what about other devices linked to wireless technology? We seldom think about the risks our cars pose; from OnStar to Sirius, our cars are doing more than just getting us from point A to B. As technology evolves, so should the appropriate security measures. This issue was recently addressed in regards to Zubie.
Zubie is a small box that plugs into your car’s On-Board Diagnostics (ODBII) port. By plugging in to your car, Zubie can tell you how well you’re driving and help you save money by offering tips on how to get the most out of your mileage. Sounds like a neat tool, but until recent, Zubie lacked security measures they desperately needed to prevent a user’s car from being hijacked.
Unit 8200, an elite Israeli Defense Force, discovered the security risk which would allow hijackers to interfere with critical system operations like braking, steering, and engine controls. Zubie connects to a remote server over a GPRS connection, which is used to aggregate data and then send it to a central server.
This is also used to receive security updates. Unit 8200 discovered that the device was not communicating with the home server over an encrypted connection. As a result, it was possible to spoof the Zubie central server and send some specially crafted malware to the device, which could result in a lose of control for the driver, as well as a host of other problems.
The security risk does not apply solely to the Zubie, however
In 2013, Charlie Miller and Chris Valasek demonstrated an attack where they compromised a Ford Escape and Toyota Prius and managed to take control of the braking and steering facilities. However, it had to be plugged into the vehicle. Which makes one wonder, if it was possible to accomplish the same thing, but without being physically tethered to the car.
That question was conclusively answered one year later, when Miller and Valasek conducted an even more detailed study on the security of 24 different models of cars. This time around, they were focusing on the capacity for an attacker to conduct a remote attack. Their 93-page report suggested that our cars weren’t as secure as once thought, with many lacking the most rudimentary cyber-security protections.
The Zubie vulnerability is a bit trickier. Although the vulnerability has since been patched, the weakness wasn’t about the car, but rather the third-party device that was attached to it. While some cars certainly have their own intrinsic vulnerability, adding third-party extras only increases the potential for hijacking.
With everything comes risk, so your car should be no different. If you take one thing away from this, let it be to take extra caution before adding the “latest and greatest” new toy to your car; simply make sure there is security software in place so that you can stay safe while enjoying the latest technology.