Data security doesn’t only mean that your stored data backup is always available when you need it. It also means that no unauthorised person should be able to get their hands on it. Data breaches and malware attacks are commonplace in today’s IT-driven world. This sad fact has been highlighted in recent news and is especially worrisome since the issue relates to data security on car computers.
The automotive industry is continually innovating in trying to make cars safer and more reliable, more efficient, more comfortable, more luxurious. With this comes more electronically driven and computerised components that facilitate such complex technological advancements – the main one being the Electronic Control Unit (ECU). A few decades ago, this used to only allow for engine management of fuel efficiency and emissions but have since been expanded to power things like your GPS/sat-nav system, car security, and even remote access from the car manufacturer.
Dodged the Bullet
An example of one such vulnerable system was the Fiat Chrysler (also think Jeep, Dodge) system called uConnect, which was flagged for possible data security exploitation mid-2015. Reported by TheRegister.co.uk, “the flaw can be exploited by an attacker to wirelessly take control of the engine, brakes and entertainment system.” This was made possible by the system being connected to the internet through the uConnect cell network without authentication.
Trying to Fix It
Since then a fix has been developed but requires manual installation using a USB drive. Still the manufacturer issued a recall of the afflicted models to minimise further collateral damage. Not only has there already been significant reputational damage to Fiat Chrysler, but a class-action lawsuit has been instituted against the company.
The guys who discovered the uConnect vulnerability, Charlie Miller, security engineer at Twitter, and Chris Valasek, director of security intelligence at IOActive, are also highlighting a more complex problem with ECU data security in that they are generally more hackable than one would expect. If you have the rights tools and skills, cars’ steering, braking, and acceleration that are automatically managed can be manipulated from outside.
Currently only a few manufacturers have models in production that are exposed in this way and already better protective measures are being developed to prevent foreign instructions from being sent to control modules that would unfavourably affect the vehicle’s behaviour. In a demonstration at the Blackhat 2014 conference, Miller and Valasek showed, with their “Can-no hackalator 3000”, that a simple intrusion detection system (IDS) can be used to stop an attack. It showed such a system would be able to learn a car’s internal communications and block anything that looked suspicious – effectively disabling the automatic controls but allowing full manual control back to the driver.
So make sure you’re aware of your car’s make and model and that you’re in contact with the manufacturer about any data security vulnerabilities. Keep up to date with any software updates released by the manufacturer or third-party providers. It’s the best way of staying protected while the kinks are being ironed out.