Could modern cars operating with the help of internal computers be vulnerable to hackers? Could someone tamper with your software-controlled brakes or stop the engine from afar?
The familiar problem for personal computers is being studied in automobiles as internal computer networks become as critical to vehicles as tires and engines, and as auto companies push to bring the Internet to motorists.
Two researchers demonstrated the ability last year to hack into the internal networks that operate a car's brakes and engines. While there is no evidence that anyone has hacked into auto computer systems to compromise safety or steal vehicles, industry groups are studying the issue in hopes of getting ahead of future cyber-attacks.
"When people first started connecting their PCs to the Internet, there wasn't any threat and then over time it manifests," said Stefan Savage, a University of California, San Diego, computer science professor who conducted the research. "The automotive industry, I think, has the benefit of the experience of what we went through."
As vehicles are increasingly computerized, researchers and industry officials consider it inevitable that cars will face the same vulnerabilities as PCs. Internal computer networks monitor and control everything from brakes, engines and transmissions to air bags and keyless entry functions. Wireless connections, meanwhile, are becoming more common in reporting a vehicle's position or providing information about the car's functions. Some auto companies are creating applications to allow users to control some features in their car with their smart phone.
In a paper presented at a computer security conference last year, Savage and Yoshi Kohno, a computer science professor at the University of Washington, described how research teams were able to "bypass rudimentary network security protections within the car" and "adversarially control a wide range of automotive functions and completely ignore driver input _ including disabling the brakes, selectively braking individual wheels on demand, stopping the engine and so on." The research team also showed how an attack could embed malicious code in a vehicle and then erase any evidence of its presence after a crash.
In a new study, they found ways to compromise security remotely, through wireless interfaces like Bluetooth, mechanics' tools and even audio files. In one example, a modified song in a digital audio format could compromise the car's CD player and infect other systems in the vehicle. They were also able to "obtain complete control" over the car by placing a call to the vehicle's cell phone number and playing an audio signal that compromised the vehicle.
Other reviews have raised similar red flags. Research teams at Rutgers University and the University of South Carolina showed vulnerabilities of in-car wireless networks that operate tire pressure monitoring systems that tell motorists if their tire needs more air. From a distance of 40 meters, they bypassed security to tap into information identifying the tire and tire pressure of cars driving down the road.
The auto industry has taken notice. Jack Pokrzywa, who manages ground vehicle standards for the Society of Automotive Engineers International, said the industry formed a panel to investigate the issue during the past month and hopes to develop common standards and ways to address hacking within the next year. "The industry is certainly concerned about this," Pokrzywa said.
"Things can be done, if there is a mindset to do this, and with all the electronic devices and the software running them, it's kind of inevitable that someone will find a way," Pokrzywa said. "These systems are not built with firewalls upon firewalls."
The United States Council for Automotive Research, a group funded by Detroit's auto companies, is also forming a task force to study the issue, said spokeswoman Susan Bairley.
Researchers say they do not want to be alarmist and note that in many cases it required coordinated efforts to bypass the security systems. Kohno said their research was the result of 2 years of work and "the risk of this happening in the real world is extremely low." But Kohno and others said the industry was wise in trying to build in more protections to avoid the hacking scenarios common with personal computers.
"I hope it's more of a warning for the engineering groups that certain systems are vulnerable," said Ivan Seskar, associate director for information technology at the Wireless Information Network Laboratory at Rutgers University.