The London Metropolitan Police recently reported that half of all car thefts in the city last year were committed without the traditional tools of the trade. Rather, the thieves used high-tech devices to exploit a vulnerability unique to the newest (and most desirable) car models: their onboard computer systems. The tools to “hack” a car are relatively cheap, and instructions are easy to procure online. They allow thieves to disable alarm systems, unlock doors and control the lights, steering, brakes and navigation system.
Security experts warn that these breaches represent more than a financial loss for consumers. They also pose serious public safety and privacy risks. The threat demands the immediate attention of consumers, policymakers and the automobile industry.
The move toward in-vehicle computers came in the mid-1990s and was driven by new emission regulations. These systems facilitated emission testing and other routine diagnostics by allowing mechanics to connect directly to the vehicle's onboard computer.
But today's cars run millions of lines of software code. This computing power is evident in the numerous features that have made driving safer and more comfortable: Cameras and sensors help prevent accidents when backing out of parking spaces, adaptive cruise control increases fuel efficiency, keyless entry offers unparalleled convenience when carrying an armful of grocery bags, and electric power steering and brakes improve driver response.
Ford is planning a “traffic jam assist” feature to allow cars to steer, throttle and brake via computer control. And, of course, public attention has focused on demonstrations of Google's driverless car.
In addition to the multitude of systems that perform functions traditionally controlled mechanically or by the driver, modern cars are equipped with integrated wireless communication and navigation systems. Drivers can find their way with onboard GPS while participating in conference calls through their car's smartphone docking system. But it's important to remember that the convenience these systems offer is also extended to potential hackers.
As far back as 2009, privacy advocates and consumers were expressing concern about the ease with which a third party could listen in on conversations or track vehicle movements when GM began equipping its new vehicles with OnStar. The subscription service was designed to detect and report accidents, facilitate the recovery of stolen vehicles, and allow drivers to make hands-free calls. It also provides diagnostic and mileage reports, and it can even unlock the doors if a driver misplaces his or her keys.
Privacy and security experts have even more reason to be concerned today, given the widespread availability and use of similar systems. A series of incidents has shown how easy it can be to exploit their vulnerabilities. In 2010, for example, a 20-year-old disgruntled employee in Austin, Texas, tampered with data on a Web-based system used to remotely disable repossessed vehicles, leaving more than 100 drivers unable to start their cars or stop the horns from blaring.
That same year, researchers at the University of Washington exposed numerous flaws in onboard networks when they succeeded in embedding malicious code that disabled a vehicle's braking system. Last year, two DARPA-funded researchers connected a laptop to a Ford Escape, programmed the vehicle to override the driver's commands, and diverted it remotely to a vacant field. The same researchers compromised a Toyota Prius, demonstrating how they could remotely control the car's acceleration, steering, brakes, horn and even the tightness of the seat belts.
In the field of information technology, there is an established history of adopting operating systems that are easier to work with but less secure. Arguably, the Internet itself grew from a design philosophy that placed interoperability and usability ahead of security. We've seen the financial damage that can be done by large-scale data breaches, but it's easy to forget that malicious code can also cause physical damage. We need only look to Stuxnet, the computer worm that ravaged Iran's nuclear centrifuges by causing them to spin out of control, to realize that it's possible for a cyberattack to hop the digital barrier and destroy equipment and facilities.
The rudimentary security protections on vehicles have not kept pace with the sophistication of the systems that control critical driver safety features, navigation capabilities and wireless communication functions. Onboard computer networks will likely become a great deal more attractive to hackers — whether their aim is to steal a car, eavesdrop on a conversation, stalk a potential victim, or cause a devastating traffic accident.
A review of the security standards for vehicle systems is long overdue. The federal government has set a wide range of minimal safety standards for automobiles over the years, and this latest threat should be met with a similar response. Consumers can help by letting policymakers know they back new protections. Action is critically needed and it could save lives.
Isaac R. Porche III is a senior researcher and Timothy M. Bonds is director of the RAND Arroyo Center at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared in The San Francisco Chronicle on June 27, 2014. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.