More modern cars are easier to hack. So are pacemakers and other medical devices. What does that mean for the future?
Kathleen Fisher: We’re hearing a lot about the internet of things, how your many, many devices are becoming networked computers.
And many of these devices are a ten dollar thing that you buy and you put on your shelf and you have it for a year and you throw it away.
I think not a lot of attention is being paid to the security of those kinds of devices. In some sense the companies that are making them can’t afford to do it, but they can lead longstanding vulnerabilities.
The automotive industry is another interesting example. A typical American modern automobile has somewhere between 30 and 100 what are called “embedded control units”. An embedded control unit is just a computer. Some of them are very, very small and run very simple code native on the hardware.
Some of them are full blown Linux computers or Windows computers, and they’re networked. A modern car has four to five network connections where the computers on the car talk to computers outside of the car. So an example is: there’s a Bluetooth connection so that your cell phone can talk to the car so that you can play your music from your phone on the car or you can talk on the cell phone without having to use your hands. There’s also a telematics unit which is the thing that if you get in an accident will arrange to call 911 or have the paramedics come. That service which is really useful and it’s a great safety feature means that your car has a cell phone number and that it’s possible to communicate with your car over that cell phone connection. Hackers can use those network connections to remotely break in to the computer system that’s on your car, and white hat hackers have shown they can do that and then can then rewrite any of the software on the car, replace the code that was legitimately put there by the car manufacturer with whatever code they want to have there.
And a typical modern car pretty much all of the functionality of the car is now controlled by software. So braking is controlled by software because you really want to have antilock braking.
Acceleration is controlled by software because of cruise control. Like you really want to have a car that can do parallel parking for you. That means steering is under software control. The locks are under software control so you can push the key fob button and have your locks open. Essentially all of the functionality of cars are under software control. And for the most part that’s a really good thing. Having it be under software control means that you can get increased functionality. You can have improved safety features. You can get upgrades as the car companies figure out how to do things better. All of that’s really good.
The downside is that, because it’s controlled by software, if an attacker can come in and replace that software then they can control the braking and the acceleration and the locks and everything that was under software control.
So we’re starting to see theft rings, for example, that are using electronic hacking in order to steal cars more easily. Lloyds of London recently stopped insuring Land Rovers in England unless the Land Rovers were garaged in a locked facility because they were being stolen too frequently.
So that’s the kind of state of the art of the automotive industry. The question is well, why isn’t it better? So one starting point is: it’s really hard to get good security. You have to do tons of things right. It costs money. So the car industry could improve the security of their cars, and hopefully they will eventually. That improvement will cost them money and the car industry doesn’t have huge profit margins. They can’t really afford to invest in the security unless they can recoup the cost associated with that investment by passing the cost on to the consumer. So that means the price of the car is going to be higher.