Wireless Car Hacking A Direct Result Of Poor Security At Vehicle Software Design Stage

Research from the University of California San Diego and the University of Washington – and which concludes that modern cars are susceptible to wireless hacking – is the result of a security issues being ignored at the car electronics software design stage, say Fortify Software.

And, says the software security assurance specialist, with the latest cars now coming with as many as 50 or more interconnected computer systems – controlling everything from the brakes to the door locks and ignition system – now that the vehicles are becoming wirelessly-enabled, they are a lot easier to electronically hack into.

It’s interesting to see that the researchers have identified that most cars built since the late 1990s have a computer diagnostic port, since this port needs direct physical access to operate and therefore hack.

But now these systems are being wirelessly enabled and held together with several tens of megabytes of code, it’s a relatively small step to modify the code and allow hackers an easy – and wireless – back door into a car’s computer system.

This was no theoretical exercise as the researchers were able to load new firmware onto their own circuitboard and, by plugging the board into the car’s internal network, translate the data flowing between the vehicle and a laptop.

This reverse engineering process allowed the researchers to develop a customised vehicle network interface and effectively take control of the car’s electronic nervous system. So far, so normal, the Fortify chief products officer says, but the killer hack was when the researchers were able to generate network commands wirelessly from another car.

In theory this will eventually allow a wireless drive-by attack on the firmware of a car, to the point where it’s central locking and ignition protection systems can be disabled. A professional thief can then saunter up, open the car and simply drive off.

Car manufacturers should have foreseen the development of hacking attacks on their vehicle computer systems and built security safeguards into the firmware to stop this type of electronic hacking.

It’s all very well saying that the manufacturers should enhance the security of their car computer networks and the protocols used, but this potential fiasco could be have been avoided if car developers had built security in from the ground up on a vehicle’s electronics systems.

That way, if someone were to hack into the electronics, the car’s central nervous system would realise it was under attack and take appropriate action, such as immobilising the vehicle. When you consider the high standard of IT defences that a typical office server has built in, it seems strange that something like a car – which costs ten times the price of a server, and then some – does not have similar levels of protection.

Barmak Meftah came to Fortify Software in early 2004 becoming the company's tenth employee. He is a technology industry veteran with over 17 years of experience in enterprise software development, product management and management consulting. Prior to his appointment at Fortify, Barmak was Vice President of Engineering and Product Management at Sychron. There he managed the strategy, development and release of products comprised in the ground-breaking practice of grid computing. Previously, he spent seven years in various senior management roles at Oracle within the Server Technologies division. Roles at Oracle included Group Manager for ease of use and manageability product lines as well as Director of Development for the eServices platform. At the time of his departure, he was the head of products for the Oracle 9i Database on Windows and .NET platforms. Earlier in his career, Barmak served as a Managing Principal Consultant at Price Waterhouse in the Management Consulting Services group and as the Group head for Wells Fargo Bank's desktop business unit.