security experts have considered the possibility that staff at a USB drive manufacturing firm or retailer might tinker with those products before they’re sold to create a porthole into thousands of computers—to harvest data or to infiltrate sensitive networks, Cobb says. While USB drives are perceived as simple memory sticks, they contain processors that handle chores like managing bad memory sectors. Those controllers can be hacked to function as processors for other purposes, Cobb says.
Malicious hackers could also take advantage of an automaker’s recall procedures to execute a cyber attack at scale. For example, criminals could set up a fake website that looks like Chrysler’s, and lure car owners to download their own malware instead of the automaker’s real software patch, Cobb says. In a recent blogpost, Cobb points out that criminals could easily download the real Chrysler patch, as long as they had any affected car’s VIN number. They could then mine the code to create more damage. VIN numbers are easy to get because they’re routinely included in used car ads, Cobb says.
After the Wired story emerged, Chrysler issued a recall providing that dealers would install the patch. But many drivers fail to respond to recall notices, even when a flagged defect poses significant dangers, Cobb says.
In addition to the security headaches for automakers, the growing population of connected cars could become a risk factor for business enterprises as a whole. Executives who are privy to sensitive company details may shed data such as personal contacts into their own cars, which may be lent to someone else, parked at a shopping mall, or remotely drained of information. Hackers often use the names of a target’s acquaintances to send fake e-mails that induce the recipients to open attachments containing malware. That kind of social engineering hack is often the entry point for a sustained infiltration of a company computer network.
Company cybersecurity experts also have to consider another factor: their executives aren’t always traveling in their own cars.
Cobb has looked at what happens in a connected rental car.
“I connected my iPhone and it sucked down all my contacts into the car,” Cobb says. He also looked at the car’s memory cache. “We saw entries like, Bob’s iPhone, Fred’s iPhone.” It’s not clear how much information in a driver or passenger’s phone gets into the car, and whether a rider can fully erase what has been downloaded, he says.
“As security researchers, we’re very keen to explore these questions,” Cobb says. “If the car becomes a repository of sensitive information, which that rental car did, then it will be targeted by people who steal and sell sensitive information,” Cobb says.
In the course of a business day, a car-pooling executive might travel to work in a colleague’s car, grab an Uber ride to the airport, and then take a rental car on arrival to get to a meeting. Cars can be configured as Wifi hotspots, and riders as well as drivers can connect to the Internet with their smartphones or other devices.
Symantec’s Somasundaram points out that all cars, including rentals, ride-sharing cars, and an executive’s own car, will likely be sold on to a new owner at some point. A car may change hands four times during its useful lifespan of about 10 or 15 years, he says. It’s much less likely that someone will sell their mobile phone when they get a new one than sell their old car.
Once a dealer warranty expires, will car owners always know how to effectively scrub their personal data out of the vehicle’s memory before they sell the car to a stranger? Buying a used car could become a much more complex process than simply evaluating its mechanical condition. The buyer might also be inheriting corrupted code or porous firewalls that could affect vehicle performance, as well as old data from past owners.
Traditional businesses such as hospitals and auto manufacturers, which are starting to connect to the Internet and handle data, are more vulnerable to hackers because they’re not as aware as tech companies of the potential threat scenarios, Cobb says. Automakers need to increase their understanding of these dangers as they turn cars into connected mobile devices on wheels, he says.
“How many vehicle entertainment system designers are aware that there’s a global market in malicious hacking tools and people willing to use them?” Cobb said in his blogpost. “And by the way, those people include thieves, spies, nation states, law enforcement agencies, activists, and grudge-holders, from every country on the planet.”
Possible remedies are available, though they could be expensive and cumbersome. They include separate wiring systems for entertainment systems and core computers, multiple authentication procedures to guard against unauthorized access to on-board features, more active efforts to push software updates out to car owners, and security software such as antivirus scanners for USB ports and other components.
As for Cobb, whose wife and brother also work in the cybersecurity field, he doesn’t feel exposed to the dangers of the connected automobile. He drives a 15-year-old car.
“I don’t think we’re ever going to buy a car that you can plug anything into,” Cobb says.
