The information below represents the author’s own reporting, and does not necessarily represent the views of Qualcomm.
“Congratulations! You just purchased your first real owner’s manual,” reads the enthusiastic introduction to the succinctly titled Car Hacker's Handbook. “This manual doesn’t focus on what all those dashboard lights are, but on how to control them.” The author goes on to break down the complete anatomy of the car, from the central computer to the protocols that let various components work with each other.
The idea behind the book is not to train car hackers. The hope is that these reverse-engineering hobbyists will use its guidance to spot vulnerabilities and report them to automakers, who might be hesitant to trumpet the failings of their products to the public.
The handbook is one example of how would-be car hackers hope to secure us on the road. The technology world knows the drill and has developed a culture of quick responses to critical security flaws. Car manufacturers, on the other hand, aren’t exactly used to such a pace, since connectivity is new to their toolbox. So as car manufacturers play catchup, this home-grown group of hobbyists is bridging the gap. The solutions they surface can’t come soon enough: Now that cars are connecting via LTE, Wi-Fi, and Bluetooth—and thus to external devices like smartphones—there are plenty of ways to manipulate the car from afar.
Indeed, connecting cars to the outside world comes with risks for which we might be ill-prepared. Sen. Ed Markey (D-Mass), oversaw a survey of 16 auto manufacturers that found that automobile cybersecurity is, at best, immature. The report concluded that industry needs to build security standards that reach across cars. And a recent episode of 60 Minutes showed journalist Lesley Stahl gliding around a parking lot while a DARPA specialist remotely monkeyed with the windshield wipers and triggered the brakes. The scene was as comical as it was terrifying.
Truly, these giant driving mobile devices are more vulnerable than they’ve ever been. The cars demoed at CES 2015 were yet another reminder of just how advanced cars are becoming. Like our smartphones, our vehicles are connecting to the rest of the world to stream content, pinpoint our location, and receive real-time weather updates, among a ballooning number of other tasks. Our cars are also connecting to one another, and this vehicle-to-vehicle communication is a technology that could save lives (MIT Technology Review named it one of the 10 breakthrough technologies of 2015).
Given all this connectivity, the problem has become crystal clear: When left unsecured, each access point is susceptible to outside influence.
So, with all these connections, why aren’t more cars getting hacked? Simply put: Because it’s still very difficult to do. Attackers need to know a lot about the ins and outs of the specific car before working their hacker magic. Still, experts caution that this could change.
“Vehicles used to have the luxury of being a ‘closed system,’” said security expert and handbook author Craig Smith. “As manufacturers race to add features they are connecting to more devices and more systems.”
Security researchers are beginning to come together to explore and tame the wild west of car security, Smith explains. I Am The Cavalry, a grassroots organization that champions security, has proposed a five-star auto cyber safety program that urges manufacturers to patch up vulnerabilities and steer themselves in the right direction. Fixes are forthcoming, as well. Last year a couple of hackers built a simple anti-hacking device consisting of a mbed NXP microcontroller and computer board that plugs into the car; the device detects attacks and responds accordingly. Apparently it’s not terribly difficult to build a device that spots intrusions.
Smith is also founder of OpenGarages, a community that meets in a few scattered U.S. cities, including Seattle and Amherst, and attracts a very particular breed of automobile hobbyist. They meet in so-called Vehicle Research Labs “to discuss and hack cars” and further their understanding of the complex beasts. (Think of them like 21st-century gearheads, who, instead of applying their DIY attitude to souping up hot rods, are tinkering with code and circuit boards.) The Car Hacker’s Handbook is one result of their quest to open up car security research to the public. They’ve also open-sourced tools, documentation, and PC board layouts on their Wiki-style website.
Despite the grassroots nature of the current car security environment (as we’ve seen with the likes of I Am The Cavalry and OpenGarages), Smith is fairly optimistic that more “official” security agencies will soon take the reins. He said he wouldn’t be surprised to see security ratings appear alongside the familiar safety and crash-test ratings doled out by the National Highway Traffic Safety Administration “in the near future.” (Keep in mind that it took time for those car safety standards to develop, and they continue to evolve even today.)
Even while there are risks to connecting cars, these new communications systems aren’t going away. They probably shouldn’t, considering the lives connectivity could save. The key, however, is securing them. “When done correctly, connected and self driving vehicles can lead to a huge improvement in road safety and efficiency,” Smith said.