First, hackers came after your laptop, then your smartphone, and now they may come after your car.
As cars become increasingly connected to the internet, security researchers are discovering a staggering number of security holes in the technology that powers smart cars.
Most of the time these vulnerabilities stem from automakers simply not having the right expertise when it comes to securing computer systems from cyber criminals, Jeff Williams, chief technology officer of the security firm Contrast Security, told Business Insider.
“Cars are vulnerable because they were never built with defences in mind. If you take something that was designed to work in one set environment and you connect to it a much more hostile environment, you don’t have the right defences in place. So of course it’s vulnerable. It’s like Bambi walking out of the forest into the field,” Williams said.
“Nobody today designs cars to operate on the internet, but all of a sudden we are connecting them. And so then we are getting thrown in the deep end.”
More wireless cars means easier access for hackers
The number of cars connected to the internet keeps growing — and quickly. By 2020, Gartner estimates that there will be a quarter of a billion connected vehicles on the road.
Security researchers, though, have been testing vulnerabilities in these cars for a while. But until recently they have mostly only been able to breach a car when within a certain physical range or with the inclusion of special hardware they have previously installed in the cars.
But recently White Hat hackers have shown that certain makes and models of cars with wireless connectivity can be breached without these stipulations.
On Tuesday, a Wired report revealed two security researchers had discovered a vulnerability in Chrysler’s Fiat that allows for some vehicles to be controlled remotely over the internet from thousands of miles away.
The vulnerability exists in Uconnect, which is the feature found in Fiat Chrysler vehicles that enables phone calls, controls entertainment, navigation, and powers a WiFi hotspot.
When exploited, the hackers were able to use Uconnect’s cellular connection to find out the car’s IP address and gain access from anywhere in the country.
From that entry point the hackers were able to gain access to the chip controlling entertainment and rewrite firmware so that they could implant code to take over things like the engine and brakes. However, they only fully tested these capabilities on Chrysler’s Jeep Cherokee.
In a statement to Business Insider, a Chrysler spokesperson said the company has a team that identifies potential vulnerabilities in its vehicles. The company also says it doesn’t condone researchers like those who were able to hack the Jeep Cherokee sharing their findings with other researchers.
This is just one terrifying example of how vulnerable connected vehicles have become.
Earlier this year a vulnerability in BMW’s system was discovered and allowed researchers to remotely open the vehicle’s locks.
“When you start adding technologies like Uconnect and all of a sudden your car is connected directly to the internet and your car’s IP address then you are accessible from any computer in the world,” Williams said. “We have networked all of these things and now they are remotely attackable.”
While researchers have been the primary ones to expose these weaknesses, it’s only a matter of time before nefarious hackers catch on and figure out a way to make money off exploiting these dangerous vulnerabilities. Then we could potentially have a big problem on our hands, Williams said.
For example, one way a hacker might try to cash in off these vulnerabilities is by using a car’s GPS to locate someone in a remote area, then installing a ransomware-type virus on their car’s computer so that it won’t work until a certain amount of money is transferred to the criminal’s account.
How to protect your smart car
If you are a smart car owner, the most important thing you can do is keep your car’s software up to date.
Unfortunately, this isn’t always a seamless process.
While some companies roll out wireless updates, most do not, Williams said. For example, Chrysler has a patch that is available for download that will fix the vulnerability recently discovered, but owners have to install the update via a USB drive or visit their local dealer to have the update installed.
“In a lot of way consumers are helpless in this situation. There’s really not a lot that you can do to truly secure your car because you don’t have visibility into your software or how it is produced,” Williams said.
“The only power that consumers have is really the power of the purse and consumers can reward vendors who are open about security and being transparent about the security they provide in their product,” he said.