Hackers' Future Target: AutomobilesCould Terrorist Insert Malicious Code to Create Havoc on the Interstate?
Imagine brakes failing or the steering wheel seizing on scores if not hundreds of cars simultaneously, causing catastrophic crashes throughout the country. As cars become more computerized, and linked through networks, couldn't terrorists virtually target automobiles as they've done by with jetliners and buildings, but instead use technology rather than individuals to begin the chain of events leading to a disaster?
The thought of such attacks never entered my mind until I spoke Monday with Bob Brammer, chief technology officer and vice president at integrator Northrop Grumman Information Systems.
Brammer points out that most cars contain 50, perhaps 100 or more tiny computers that control the accelerator, brakes, displays, steering and such, all accessed through a diagnostic port that serves as the vehicles' USB port. Citing a study published in an IEEE journal, Brammer says:
"It's possible to take over a car, controlling the brakes, the accelerator, the steering wheel, despite whatever the driver might want to do. Our automobiles are highly vulnerable from a cybersecurity view."
A paper, Experimental Security Analysis of a Modern Automobile, delivered earlier this year at an IEEE symposium, says the potential attack window could widen as more automakers provide vehicle-to-vehicle and vehicle-to-infrastructure communications networks to third-party development:
"An attacker who is able to infiltrate virtually any electronic control unit can leverage this ability to completely circumvent a broad array of safety-critical systems."
In the lab and road tests, the researchers said they took control of a number of the car's functions and the driver could do nothing about it. They bypassed basic network security protection within the car, and embedded malicious code in its telmatics unit to erase any evidence of the hack's presence after a crash.
Brammer, for now, sees the threat to cars as more theoretical than practical. But he says it demonstrates that we must think about cybersecurity more broadly than we have in the past.
"As the trend is to put more IT into everything that we do - whether it's cars, airplanes, power grids, water supplies, whatever - we have to think about the security aspects of the design. These systems, within reason, have to be able to withstand certain types of attempts to attack or exploit them. That's a terrible thing have to say, but I think that's the way world is these day."
Who should protect us from these new vulnerabilities? It's primarily the job of industry, Brammer says, adding he hopes automakers recognize the problem and take the proper steps to prevent such attacks before they become more viable.
If industry doesn't do it, perhaps government will. Is that something most people want?