Monday, 25 May 2015

UVa, cybersecurity company researching possibility of ‘car hacking’

t sounds like a Hollywood movie. As of 2015, it’s extremely unlikely. But automakers, researchers and security experts believe car hacking could become a credible threat over the next few years.

The University of Virginia and local cybersecurity company Mission Secure Inc. are part of a statewide effort to examine the ways the electronics systems that control features such as anti-lock braking and adaptive cruise control could be exploited by criminals.

David Drescher, CEO of Mission Secure, said he has not heard of any documented car hacking cases in Virginia. But it’s possible, and becoming increasingly likely as vehicles rely more and more on computer software.

“It’s not that accidents took place because somebody hacked into a car,” Drescher said. “But I can tell you the automotive industry is very aware of this problem. They’re trying to determine how to best secure the cars.”

So how exactly does one hack a car? The same way they’d hack anything else, Drescher said. Most cars have anywhere from 70 to 100 electronic control units, and all of them use software.

“Anything controlled by software, you can hack,” Drescher said.

The only documented case of car hacking in the United States occurred in Austin, Texas, in 2010, when a former car dealership employee — recently laid off — took control of software used by the dealership to immobilize cars when customers have become delinquent on their payments. Complaints of cars that wouldn’t start or honked nonstop in the middle of the night began pouring in.

Austin police eventually caught up with the alleged hacker.

Car designers are increasingly incorporating computer-assisted features such as parking assist, obstacle detection, automated speed control and hands-free lane changes. These types of features are vulnerable to hacking. And driverless cars, which could go into production in the future, certainly would be vulnerable.

Mission Secure and UVa’s engineering school put out a video showing they could exploit a driverless car, causing it to accelerate instead of braking when it detects an object ahead of it. Earlier this year, BMW announced it had fixed a bug that could have allowed hackers to gain keyless entry to some of its vehicles.

The potential problem compelled Sen. Ed Markey, D-Mass., to write a report calling on the automobile industry to examine possible weaknesses in their vehicles.

Recent trends in cybercrime have made it easy for people with little skill to exploit systems, Drescher said. Hacking used to take considerable skill and effort.

“Now people with that level of sophistication put out the tools so people with less sophistication can use them,” Drescher said.

People who don’t want to deal with the police might be some of the most interested customers, said Barry Horowitz, chairman of UVa’s Department of Systems and Information Engineering.

That’s one of the reasons why the working group, assembled by Gov. Terry McAuliffe, is starting with police cars. The group will be conducting a series of tests over the summer to see how computer systems in vehicles used by the Virginia State Police — which has allowed the group to use two of its cruisers — can be exploited.

“The most important thing we could do in the near term is ask ‘what data could we collect in the car so we could tell an attack occurred?’” Horowitz said.

Ideally, police in the future will be able to collect data from an automobile that was recently in a wreck and plug that data into a computer that could look for anomalies in the car’s commands — bizarre or irrational responses that could point to hacking.

Horowitz said he envisions a system that could be used by officers with little technical training. The group is also experimenting with a product — which Drescher calls Secure Sentinel — that could detect these anomalies as they happen and correct them.

Some people are skeptical about the threat.

Doug C. Newcomb, a longtime automotive journalist, has written columns for Forbes and PC Magazine this year saying the threat is overblown by the media. It is currently difficult and expensive to pull off, and since most criminals are motivated by money, it’s unlikely to happen anytime soon, he says.

And although car hacking continues getting media attention, there is only the one documented case.

“For now, only the hype surrounding car hacking is very high,” Newcomb wrote in PC Magazine in March. “And it likely will continue, since it makes for great headlines.”

Horowitz and Drescher both point out that the U.S. military already is grappling with the problem, as manuals and software enabling people to hack drones proliferate.

“Whether that’s going to transition into mass society – I think that’s just a matter of time,” Drescher said. “You can either wait or be proactive.”

View the original content and more from this author here: http://ift.tt/1HCaFZz



from cyber security caucus http://ift.tt/1F6IjzY
via IFTTT

No comments:

Post a Comment