Cars once were just brainless machines, controlled by cables, belts and sparks of electricity. Emissions were among the first computerized systems on most cars, along with fuel injectors and anti-lock brakes.
Each computer had a distinct purpose, and more purposes existed in newer and fancier cars. The problem was, these systems did not exist in isolation. The anti-lock brakes needed to know if the wheels were spinning wildly. The air bags needed to know if the car was abruptly decelerating. The dashboard display needed to know if the fuel tank was getting low or if the engine was overheating.
Such systems speak to one another using a computer protocol, called “CAN,” that was created in the 1980s and, like the most of the protocols that run the Internet itself, lacks what experts call the ability to “authenticate” messages. That means onboard computers typically have no way to know whether a given command originates from the car’s engine control unit, from a mechanic or from a hacker.
Manufacturers have belatedly begun trying to retrofit protections into their onboard computers. But experts say it is notoriously difficult to build security into systems that were not designed for it from the beginning — a problem that long has bedeviled the larger online world as it has evolved from a network run by a few dozen computer scientists to a vast system open to billions of people worldwide.
“When there are unintended consequences and your computer crashes, that’s one thing,” said Ashkan Soltani, chief technologist for the Federal Trade Commission, which issued a report in January warning of the security and privacy issues of the Internet of Things. “When there are unintended consequences and your car crashes, that’s a totally different ballgame.”
Rad, who conducted early car hacking research before demonstrating vulnerabilities in prison doors and other mechanical systems, sits on a Society of Automotive Engineers committee working on cybersecurity. She says it’s clear the issue has the attention of the auto industry.
“They are taking action on this,” Rad said. “They know the stakes are high, and they also know that they have work to do.”
In a speech Tuesday, Mark R. Rosekind, the head of the National Highway Traffic Safety Administration, said that federal transportation officials also are working on the problem and have a cybersecurity research team at a car-testing facility in Ohio.
“The folks at our Vehicle Research and Test Center have figured out how to do some remarkable things with vehicle electronics, in order to prevent others from doing them,” Rosekind said, according to his prepared remarks. “NHTSA not only is aware of these threats, but we’re working to defeat them.”
But Markey said both the industry and the government should do more. When he submitted questions to 20 automakers last year, the answers from most were incomplete. Some didn’t reply at all. Only two reported having a system to detect and report hacks as they happen.
“They’re not doing nearly enough,” Markey said. “There are major holes in how companies are protecting against hackers.”
His bill to require minimum cybersecurity standards and a federal rating system that he calls a “Cyber Dashboard” run contrary to the industry’s resistance to new federal rules. The Auto Alliance said in a statement, “As evidenced by the recent federal breaches in the government, a static, regulatory-based approach to cybersecurity seems like an outdated approach, ill-suited to the current times especially because of the fluid nature of these potential threats.”
There is another fight brewing in Washington that could affect the future of car cybersecurity. Miller, Rad and other researchers are pushing for an exemption to digital copyright laws to protect them while they work. Automakers say they own the computer code in their cars, meaning that researchers could be charged under piracy laws when they download it and make alterations.
The industry says the law protects consumers by preventing cars from being hacked. But the main impact, say Rad and other security researchers, is to stem the tide of revelations embarrassing to carmakers — not to improve vehicle cybersecurity. “If the stuff is out there,” she said, “the bad guys already know about it.”