Imagine cruising down the highway when the brakes suddenly give out. Or sitting in a parking lot when your doors unlock by themselves. In today’s world of increasingly interconnected cars, it might be more than a factory glitch. You could be a victim of automotive cyber-attack, warns supplier Robert Bosch GmbH. Bosch is tackling what it describes as a new era of driver threats, through its software security subsidiary Etas GmbH. In extreme cases, attackers could track your car’s location, spy on cabin conversation, tamper with the odometer, disrupt the engine, engage the brakes or even manipulate steering. For drivers, the intrusions mean “potentially life-threatening consequences,” Wolfgang Sienel, president of Etas’ Japanese operations, said last month at Bosch’s Yokohama r&d center, its biggest active safety lab outside Germany.
Actual cases of car hacking are still extremely rare because gaining remote access to onboard computers is difficult. But the concept has already captured the imagination of Hollywood. In the film Fast & Furious 6, villains cyberhack a car to crash it.
Closer to reality, the National Highway Traffic Safety Administration listed vehicle cybersecurity as a risk in a May report outlining its preliminary policy on self-driving cars. The electronic systems of today’s vehicles are vulnerable to outside attack through global positioning systems, linked smartphones and keyless entry fobs.
“These entry points open access to many manipulation possibilities,” Sienel said. “Once you are in the infotainment system you can go step by step further, because all the systems are interconnected in the car. You have the possibility through the infotainment system to get access to the powertrain.”
Etas’ solution is a kind of software firewall for cars that aims to block such attacks. The service is sold through an Etas unit called Escrypt GmbH, which was founded in 2004. Escrypt says it counts major global Tier 1 suppliers and automakers among its customers but wouldn’t name any.
Last month, Pricewaterhouse-Coopers issued a report warning about the risk of car hacking, citing General Motors’ push to offer in-vehicle Wi-Fi across its four brands by 2014. “Internal computing components have now proliferated into a complex, interconnected web of peripheral networks — all of which are susceptible to threats like viruses, malware and denial-of-service hacks,” the PWC report said.
Today’s onboard electronic systems have built-in redundancies that aim to shut down or correct a glitch when it occurs. Most are designed to prevent accidental external disruptions from such forces as ambient electromagnetic interference. But they can’t always counter deliberate deception, Etas says. “Redundancy is not sufficient to tackle cybersecurity threats because an attacker who can compromise a first device can easily compromise the redundant device as well,” Sienel said. The Escrypt cyberattack firewall dials it up a notch to guard against deliberate electronic attacks, said Herbert Hemming, president of Bosch’s Japan operations. “This goes one step beyond what we are already doing,” he said. The company outlined several kinds of attacks:
Some disrupt communications among a car’s electronic control units, the dozens of microprocessors that run the vehicle.
Others interrupt communication between a car and other cars or a car and intelligent traffic systems, including roadside monitors, sensors or meters, such as electronic toll collection systems.
Some attack such wireless vehicle interfaces as onboard Internet hot spots or GPS systems.
Etas declined to say how many cyberattacks occur globally. PWC’s report said only a “few cases” have been reported. Today, a common form of cyberdeception is simply manipulating odometers to sell a used car for more than it’s worth, says Andre Weimerskirch, who heads Escrypt’s business outside of Europe. He is unaware of any attack that resulted in injury or death. “Our current environment is safe,” Hemming said. “Nevertheless, we should not lay back. There could be potential risks coming up more in the future. We have to start thinking about it.”