The connected car is hackable but it is difficult. This has been proven by several research-based projects involving people with a lot more expertise, time, and resources than the average programmer has. The photo above is recent real-life proof. I was at a car hackathon and the keys were locked inside one of the demonstration cars. In a room full of people tasked with hacking a car, no one was able to open the car remotely. Instead, the event organizers ended up calling a roadside assistance service to force the car door open. Usually, the best way to compromise a car is the old fashioned way.
Still, whenever I tell someone that I work in connected cars, there is a consistent fearful reaction of cars getting hacked. Protecting yourself against security compromises is mostly about risk management. You can read the original full text of my OS Delivers guest blog post Managing the Risks of Connected Car Security here, but I broke down that major points and actionable items below:
3 Major Motives of Hacking
There are three main motivations for hackers: challenge, profit, activism. Take note that the scariest cars hacks were by the best security experts in this field engaged in long term studies.
Most notable car hacks fall under this category. In these cases, security experts were given grant money to find security vulnerabilities. Over a year or so, these experts were able to take control of the car as long as they also had physical access to the car to install additional hardware.
2. Financial Gain
One of the more famous recent profit-motivated hacks was the compromise of 56 million credit cards of Home Depot customers. Some hacks in this category are straight-forward access to financial records. In other cases, the goal is to leverage the processing power of the user’s computer. Usually, the end user does not even know that the computer has been turned into a “zombie” except for the occasional slowdown in performance. There has yet to be a noteworthy car-related hack that was motivated by financial gain.
Activist-motivated attacks, also known as hacktivism, promote a political agenda; usually free-speech, human rights, or information technology ethics. The car is not an ideal platform is not an ideal platform for hacktivism because it lacks constant connectivity over high bandwidth and persistent electricity.
Security is about risk mitigation and management. As consumers and software developers, we should all take the following basic precautions.
What consumers can do
- Change the default admin username and password
- Update software when available
- Don’t reuse passwords across multiple accounts . Dropbox will back me up on this one.
- If you’re going to plug an after-market dongle into the ODB-II port of your car, make sure that the unit is has Bluetooth security features and no default PIN code.
What developers can do
- Require the end user to change the admin name and password during configuration
- Don’t allow the default authentication
- Push alerts for updates and make automatic updates an option
- Over the air updates for cars. Tesla fixed their fire issue this way, saving the conventional costly recall process.
- Challenge hackers to break your security in a hackathon.
Still, as an informed and vigilant user, I look forward to bringing the car into my connected lifestyle safely.
Road Rules is getting ready to launch its app that will help automate tasks while you drive. Sign up to be one of the first to try it out!
Photo by Liz Slocum Jensen. Used with permission.