By Mike Antich

Fleet managers may worry about vehicles being stolen, but few have given much thought to having them hacked electronically. Most people don't realize a typical fleet vehicle contains 70-100 megabytes of binary code in 50-70 onboard microprocessors, and the amount of internal software code promises to grow in the future. A new study shows automotive software is as vulnerable to malicious hackers as the average PC. The report entitled, "Experimental Security Analysis of a Modern Automobile," was presented in May at the 2010 IEEE Symposium on Security and Privacy by a team from the University of Washington and the University of California, San Diego.

The research paper demonstrated how a sophisticated hacker could wreak havoc on a vehicle by manipulating the in-vehicle computer network or remotely accessing it via its wireless connectivity to the Web. The 11-person research team pointed out all new cars are "pervasively computerized" and control a wide array of components, including the engine, brakes, heating and cooling, lights, instrument panel, radio, and locks.

The researchers tested two 2009-model-year cars, whose make and model were not identified. They were able to connect a laptop to a standard onboard diagnostic computer port, which allowed them to control the car's computer wirelessly using a second laptop in a separate car. The team didn't identify the test cars because they did not want to single out a particular automaker. However, both vehicles had the controller area network (CAN) system, required as a diagnostic tool on all U.S. cars built since 2008. The team wrote a software utility program allowing them to listen to CAN traffic and insert their own network instructions. The paper demonstrated the ease in which a sophisticated attacker could control a wide range of automotive functions and completely bypass driver input. For example, by accessing the various electronic control modules (ECM) or engine control module, the researchers were able to manipulate the fuel level gauge, falsify the speedometer reading, display arbitrary dashboard messages, dial-up the heat or A/C, lock passengers in the car, continuously blare the horn, pop the trunk, turn off the lights, activate the windshield wipers, disable the brakes, selectively brake individual wheels on demand, and stop the engine. In addition, after deploying these malicious software commands, the team successfully erased any evidence of their tampering.

The research paper suggests two attack scenarios. Either by physical access gained by a mechanic, or even a spiteful significant other, who wishes to monitor and manipulate the vehicle's controls remotely over the Internet. Or, in the second attack scenario, someone hacking into one of the wireless networks found inside a vehicle. I would like to postulate another possible attack scenarios by a disgruntled computer-savvy employee, out to extract revenge on the company for a perceived wrong. Another possible attack could be directed at company officers by maliciously hacking into their executive fleet vehicles.

If you consider this far-fetched, consider the implications of what happened recently in Austin, Texas. Last February, more than 100 drivers in Austin had their vehicles immobilized or their horns blared uncontrollably after a disgruntled employee at a dealership hacked a system used to warn customers when they are behind on their auto repayment plans.

No Longer Just Mechanical Devices

The PCs in the early 1990s had latent software vulnerabilities. This wasn't an issue at the time because PCs did not have connectivity to other computers, outside of a local area network. However, when they became connected to the Internet, these latent vulnerabilities were exposed to outside attack. Vehicle technology is moving in the same direction, with a strong trend to provide Internet connectivity. Cars were strictly mechanical devices, but now we're seeing more and more electronics and connectivity, which means increased potential risk. The researchers wanted to point out the potential security risks if someone gained access to a vehicle's internal computer network. They did not want to take an alarmist tone, but simply show that it is possible. In the end, the software in a fleet vehicle is not fundamentally different from software on a PC, it's all binary code. The researchers advocate "hardening" these onboard systems and providing malware defenses before car hacking becomes a real problem. It's important to stress that no remote car hacking attacks have ever been recorded, and experiments designed to load malware into car systems using Bluetooth have been unsuccessful.

Hacking a car isn't easy. A would-be criminal would need advanced computer skills and access to the vehicle's on-board electronic and engine control modules to launch an attack. Fleet managers shouldn't be worried, at least not for now. However, in five to 10 years from now, all bets are off.

Let me know what you think.

mike.antich@bobit.com