“Hack” raises many questions regarding cybersecurity in light of increasing connectivity and automation of automobiles and transportation systems
I remember three years ago researching if it was possible to hack a car, the answer that was given was “no, it is impossible to hack a car”. The article was a press junket put out by a manufacturer’s group. Within six months of reading the press release, hackers had demonstrated that it was in fact possible to hack a vehicle.
If you can gain hack a car, you can most likely put the driver and passengers in danger by taking control of important systems such as braking, acceleration, and power to the vehicle. This is because most computer systems are interconnected. In other words, if you can gain access to something like the air conditioning controls, you can gain access to the braking system.
There was a presentation at a Hacker convention a few years back where the researchers were able to demonstrate how they could take control of a vehicle using a network connection. A video was shown demonstrating how this could be done while the vehicle was in use. If I recall, the manufacturer was contacted before the release of information by the researchers so that a fix could be put in place. Auto manufacturers had another response as well. I believe that this is the same case. Legislation was passed making the hacking of an automobile a criminal offense.
Fast forward to today, and we have news of another vehicle that was hacked. British cybersecurity first Pen Test Partners is claiming that it was able to hack a 2017 Mitsubishi Outlander through a vulnerability in the wi-fi system and was able to turn on the headlights and climate control system, disable the alarm, and alter the battery charge timing. While the systems hacked were not that critical in the operation of the vehicle, it is something that would not put driver and passengers in harms way. However, we don’t know if the hackers were not able to access critical driving systems or if they chose not to, an important detail nonetheless.
The vulnerability in the Mitsubishi Outlander was an application that enables owners to “communicate” with the vehicle through their mobile phone. Experts only “needed a few days” to examine the code and find the vulnerability, and take action to prove their point.
Fortunately, the hackers involved did not have bad intentions with their newfound abilities. However, that begs the question, just what kind of damage can be done by a hacker with bad intent? How easy is it to take complete control of a vehicle putting driver and passengers in harm’s way? Has this been done yet and do we just not know about it? I would guess the latter.
Most alarming to me are the questions that this story raises and what is being done to correct it? If history is any precedence, the hacker notified the software developer before disclosing their hack publicly and a “patch” was implemented, fixing the problem.
Unfortunately, I think it is just a matter of time before I am writing an article where there was injury or death as a result of a software breach. The increasing amount of connectivity and automation in our transportation systems is worrying from a security standpoint. With that said, “old” cars are looking all the more attractive to me.
