Worrying about hackers breaking into your laptop and cell phone is bad enough, but soon your car may be vulnerable, too. With each new model year, the automobile becomes less a collection of mechanical devices and more a sophisticated network of computers linked to one another and to the Internet. Earlier this year a group of researchers proved that a hacker could conceivably use a cell phone to unlock a car’s doors and start its engine remotely, then get behind the wheel and drive away. In work presented in March to a committee of the National Academies, Stefan Savage, a computer science professor at the University of California, San Diego, and Tadayoshi Kohno of the University of Washington, placed malicious software on an unspecified car’s computer system using its own Bluetooth and cell phone connections. The software could have been used to co-opt the car’s computer system, including its engine. The research “shows the need for security measures in vehicular onboard networks,” says Olaf Henniger, a researcher at Germany’s Fraunhofer Institute for Secure Information Technology.
Henniger and his colleagues are working to create just that. He is a member of EVITA, an effort that was launched in 2008 with the help of BMW Group, Fujitsu and others to develop a security blueprint that carmakers can follow to build more secure onboard networks. The project, which is scheduled to wrap up at the end of the year, has already developed prototypes that would encrypt or authenticate data exchanged within the car, with other cars and with equipment on roadways.
Whether car companies are willing to invest in the additional security remains to be seen, says Anup Ghosh of George Mason University’s Center for Secure Information Systems. Many manufacturers say their vehicles are already safe. Ford has a built-in firewall to protect its SYNC system against network attacks and separates its vehicle-control network from its infotainment network, says Rich Strader, director of the company’s Information Technology, Security and Strategy practice. General Motors says its mobile app never communicates directly with the car but instead connects to OnStar’s network, which requires authentication.
The research does not mean that cars are suddenly vulnerable to network attacks. Savage, Kohno and their colleagues are merely reporting the result of several years of experiments. Still, it seems the unending chess match between hackers and security experts has found a new field of play.