My other car is your car
Charlie Miller has hacked your phone, your web browser, and now he's coming for your car.
In August 2013, the automotive industry was in collective shock. Charlie Miller and Chris Valasek, two highly respected information security researchers, had just demonstrated working attacks against the on-board computers in cars, taking control of the steering, brakes, acceleration and more.
Shock quickly turned to denial. The attacks couldn't possibly be done remotely. They were impractical. There was no risk. Buyers should not be alarmed.
If any of that sounds familiar, it could be because the denials were similar to responses we've heard from the numerous companies Miller has humbled in his time as a security researcher, including web browsers and mobile operating systems. He has won the international Pwn2Own competition four times, usually by attacking Apple products. An ex-NSA security specialist ('global network exploitation analyst' - you figure it out), he now works for Twitter. Hacking cars is just a hobby.
And now he's coming to South Africa to demonstrate his findings for a local audience, along with his observations of security practices across the industry. Modern vehicles, equipped as they are with a multitude of sensors, actuators, microcontrollers and computers, need a way for all the systems to communicate. Previously, every manufacturer came up with their own scheme, but in 1983, Bosch invented the Controller Area Network ('CAN') and the CAN bus, a shared, standards-based communications network that hooks everything together. Nearly all modern cars use the system - in fact, since 2008, it has been a federal requirement that all new cars sold in the US have to conform to the CAN standard. Implementation still varies from one car to another, but the basics remain the same.
Unfortunately, the system is not very secure. Every component is trusted, in a naive approach startlingly reminiscent of 1990s-era computing. Checks and balances are usually there to avoid malfunctioning sensors, not to thwart attacks. And because it's a broadcast network, you can introduce malicious traffic and drown out a legitimate component. The attack, glossing over the months of reverse-engineering the signalling and protocols, simply involves hooking into the on-board network with some custom-built electronics and software.
The reality is that mobile devices are way more secure than desktops.Charlie Miller, Twitter
For example, Miller demonstrated an attack that used the automatic parking feature in a Toyota Prius to effect sudden swerves at speed. "In the Toyota, the autoparking mechanism is designed so it will only control the steering when if you're in reverse, in autopark mode, and going less than five miles an hour," he says. "But we were able to make it work when you're going 70mph forward - we sent messages on the network saying, 'hey, you're in reverse', 'hey, you're in autopark', 'hey, you're going very slowly...now turn the wheel'. And it would do it."
So are we going to see hackers taking over cars? Remote hijacks? Occupants held hostage by their own central locking? Not any time soon, says Miller. Not unless the automotive industry really drops the ball...and they might.
"The attacks are possible, but right now they're difficult. You're probably not going to see it for a while. Personally, I'm not scared someone's going to hack my car. The idea of the research was to try to get ahead of the curve for a change, get fixes and get talking about it before there's a problem." The most plausible avenue for attack is an insider - a devious technician planting a remote-access device, but even that risk is low.
However, it is a growing risk. Vehicles are becoming increasingly computerised - modern luxury sedans have hundreds of components on that CAN network, including online services such as media streaming and navigation. It's a tempting target, and Miller is blunt about what comes next: "Chris and I aren't that special. We didn't do anything magical - other people are going to do the same thing we did. We're going to see more of this until the industry does something about it."
The computerisation of cars is symptomatic of a broader evolution: the so-called Internet of things.
The computerisation of cars is symptomatic of a broader evolution: the so-called Internet of Things, which describes a world with intelligence embedded into everything from cars to kettles, refrigerators to running shoes. Ubiquitous sensor data opens the door to some exciting possibilities, but also expands the attack surface for the likes of Charlie Miller.
The Internet of Things is being driven heavily by cloud computing and by the proliferation of mobile devices, and smartphones are already coming under attack. But Miller says that despite the horror stories and hype, and despite the proofs of concept attacks from himself and his colleagues, mobile phones are actually pretty secure. "The reality is that mobile devices are way more secure than desktops. I'm not concerned," he says, despite his own track record of successfully attacking Apple devices. "I use an iPhone and as far as I know, it's pretty secure. In the whole history of the iPhone, there have been a handful of pieces of malware. Compare that to the PC; there have probably been five pieces of malware written while we've been talking! Even Android - we hear of Android malware but the real numbers are small - it's a rounding error compared to desktop malware."
Miller's NSA background can't go unmentioned: he spent five years working for the agency that was the centre of so much attention after Edward Snowden's revelations of widespread internet surveillance. Miller is blunt about that: spy agencies, and not just the US ones, are so sophisticated, so well-funded and so resourceful that no defence is possible. "All the traditional advice we give - don't click on this, use anti-virus...all that goes out the window when you're talking about an adversary with unlimited resources. There's no way to protect yourself. I'm an expert; I know what to do. But if the NSA wants to hack into my computer, there's nothing I could do about it and there's no way I would even know.
"The only thing you can do is say, fine, let's ignore those guys and worry about the attackers you can do something about - the everyday cyber criminals. And fall back on the security stuff we've been developing for decades. That stuff really does work."
First published in the April 2014 issue of ITWeb Brainstorm magazine.