Does Having OnStar Really Open Your Car Up to Hackers?
Not long ago, the CBS news program 60 Minutes aired a segment that purported to show a hacker taking over control of a late model sedan with nothing more than a laptop and a remote control. While being able to turn on the windshield wipers is unlikely to cause any real damage, disengaging the brakes like they did in the demonstration would be incredibly dangerous. The idea that someone who you might never see could potentially do more than just control your radio is terrifying, especially on a large scale. What would happen if a hacker used a program to take control of every car in America? The results could be devastating.
According to 60 Minutes, the hacker in the demonstration was able to gain control of the car by way of its “emergency communications system.” That emergency communications system was OnStar, a service offered by General Motors since the mid-1990s, and is available for non-GM vehicles as of 2011. Even if you don’t subscribe to the service, the capability is still there in case you decide to subscribe in the future. With so many vehicles on the road that are equipped with OnStar, does that mean that millions of people are at risk of having their cars hacked? What about people without OnStar? Is every car potentially open to being taken over and controlled by a hacker?
Computers in cars are, of course, nothing new. Even in the 1970s, features like electronic fuel injection were beginning to find their way into cars. Automakers quickly found that electronic methods were superior to the earlier mechanical methods, providing not just more power, but better control and efficiency. Today, nearly every aspect of a car is controlled or monitored by a computer.
What is new, however, is a car with computers that aren’t a closed system. Until fairly recently, all of the computers that kept a car running communicated exclusively with each other. Unless someone had access to the car itself, gaining control of those computers was essentially impossible. If someone broke into your car with the intent to do more than just steal your dry cleaning and loose change, that person could reprogram your car’s computer systems.
On a totally benign level, tuning companies have been doing this for years. They create custom programs to run on a car’s computers that allow drivers to get maximum power out of their engines. Those tuning companies are given permission by each car’s owner to install those programs though. Someone breaking into your car could theoretically install a different, more malicious program. If they didn’t install a wireless transmitter though, there would still be no way for them to control your car remotely.
What could potentially open up cars to being taken over remotely though, is the move from a closed system to an open system. In order to integrate modern technology and offer more convenient features, automakers have developed new systems like OnStar that allow their cars to communicate wirelessly. Like home computers, that means that a lot of cars can now receive software updates without needing to be brought into the dealership. If, say, BMW finds a bug in its engine management software, it can now fix the problem without the expense and inconvenience of issuing a recall.
Opening up a car’s computer system to allow for wireless software dates, immobilization in the event of theft, or even a remote diagnosis of a problem is incredibly convenient, but while many people enjoy those features, their existence is what could open a car up to a worst case scenario situation where a hacker gains control of a car. If the 60 Minutes segment is accurate, a remote takeover really is possible. It should be pointed out though that no one has seen proof that the car in question wasn’t tampered with. Considering 60 Minutes‘ history of tampering with cars for a salacious story, any skepticism is certainly warranted.
That doesn’t mean that cars are entirely safe. Just because your car is very unlikely to be taken over by a malicious hacker and turned into a remote control torpedo right now doesn’t mean that the potential isn’t there. The New York Times states that according to a recently released report, “[s]erious gaps in security and customer privacy affect nearly every vehicle that uses wireless technology”:
The report found that large amounts of data on driving histories are harvested, frequently without consumers being explicitly aware that the information is being collected or how it will be used. At least nine automakers use third-party companies to collect vehicle data, which can make consumers even more vulnerable, and some transmit that data to third-party data centers, too.
Unlike regularly updated and replaced devices like laptops and smartphones, cars are kept much longer, and updates are integrated much more slowly. Still, it’s incredibly concerning to hear that automakers aren’t taking appropriate measures to ensure that cars are kept secure from a remote attack and that personal information is appropriately secured. It’s even more concerning as vehicle-to-vehicle communication draws closer to production. Yes, V2V communication offers the possibility for improved traffic flow, fewer crashes, and more advanced self-driving technologies, but if those communications aren’t properly secured, the risk is incredibly high.
According to Navigant Research Analyst Sam Abuelsamid, it’s time for automakers to get real on vehicle security:
Automakers are notoriously quiet when it comes to publicly discussing anything that might potentially be deemed a flaw in any of their products, but it’s time to change that attitude when it comes to electronic security … Automakers often like to brag about how many millions of lines of code are in the latest and greatest new vehicle and how many gigabytes of data are processed every second. They neglect to mention how every additional byte of code means more potential for mistakes or security flaws.
Discovering bugs, flaws, and vulnerabilities in automobile computer code is important in the same way it’s important in regular computer programs, but unlike a cell phone app or computer program, vulnerabilities and bugs in a car’s wireless communication system could have life-threatening results. It’s expensive and time consuming to continually develop more advanced and secure programs, but as quickly as technology is advancing, and as valuable as personal information is becoming, it’s still incredibly important.
Luckily, not all manufacturers are slow to take automobile security seriously. As Abuelsamid points out, “Tesla Motors started on the right track this year with the hiring of security expert Kristin Paget away from Apple. The company also sent a team of recruiters to the Black Hat and DefCon conferences to find more talent.”
Hopefully other major automakers will take a page out of Tesla’s book and begin investing more heavily in their own security teams. With self-driving cars and vehicle-to-vehicle communication on its way, consumers need to be able to trust that manufacturers are taking security seriously. A remote takeover of an OnStar-equipped vehicle is extremely unlikely to happen soon, but that doesn’t mean it won’t eventually be more likely. If automakers take security seriously though, they can get out in front and minimize these risks.
If this is an important issue to you, take the time to contact these companies. The more pressure there is on them from customers to take security seriously, the more likely they are to do so. Then again, you could also always vote with your wallet and buy a Tesla.
Check out Autos Cheat Sheet on Facebook