Are cars the next Internet?

One big problem with the Internet is that security wasn't in its original design, so that security vendors need to provide products that try to overcome this original oversight. It looks like cars might have this same problem. A recent paper by a group of professors from UCSD and the University of Washington describes some of the security problems that cars have. Here's this paper's abstract:

Abstract—Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input— including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car’s two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car’s telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.

There may be additional security issues that the automobile manufacturers don't feel comfortable letting researchers discuss in public, of course. But because people are looking at the problem now, it's probably only a matter of time until these issues are addressed, either by the automobile manufacturers or by third-party security vendors.

After reading this paper I was curious about how many processors a typical car has these. The last estimate heard of this was 14, but that was several years ago. After using Google for a few minutes I didn't find that particular bit of information, but I did learn that both the BMW 7 Series and the Mercedes S Series vehicles actually have over 100 microprocessors in them these days. I'd imagine that there's also a fairly sophisticated network connecting those processors, but that's something that I'll probably never get around to learning about.

Leave a Reply

Your email address will not be published. Required fields are marked *