In 2013, when professional hackers Charlie Miller and Chris Valasek demonstrated that it was possible to hijack the steering and brakes of a Ford Escape and a Toyota Prius using only laptops connected to the autos, they raised two questions.
First, could hackers perform the same thing wirelessly or, perhaps, even over the Internet? And secondly, what other specific vehicles are vulnerable?
“If you own a Cadillac Escalade, a Jeep Cherokee or an Infiniti Q50, you may not like the answer,” Wired reports.
In a recent talk at the annual Black Hat security conference in Las Vegas, and in an accompanying 92-page paper on the subject, Miller and Valasek presented the results of a very broad analysis of dozens of different automobile makes and models, assessing each vehicle’s schematics for signs that point to key vulnerabilities in auto-focused hacking. The result has been a kind of handbook of ratings and reviews of various automobiles, ranked by their hackability of networked components.
“For 24 different cars, we examined how a remote attack might work,” said Valasek, who is director of vehicle security research at the security consultancy IOActive. “It really depends on the architecture: If you hack the radio, can you send messages to the brakes or the steering? And if you can, what can you do with them?”
Hackability tied to a vehicle’s technology
According to the introduction of their paper:
Modern automobiles consist of a number of different computer components called Electronic Control Units. Each automobile contains from 20-100 of these devices, with each ECU being responsible for one or more particular features of the vehicle. For example, there is an ECU for seatbelt tightening, one for monitoring the steering wheel angle, one to measure if a passenger is in the car, one to control the ABS system, and so on.
Some ECUs “also communicate with the outside world,” Miller and Valasek said in their paper, “as well as the internal vehicle network. These ECUs pose the biggest risk to the manufacturer, passenger, and vehicle.”
The two men are quick to note that their findings and results are not definitive claims that security vulnerabilities exist in cars and trucks as much as they are a warning of potential cyber weaknesses. In contrast to their 2013 research, for instance, they did not do any hands-on hacking to produce their new paper and findings. Their most recent work instead consisted of mostly signing up for mechanics’ accounts on the websites of all the car manufacturers and then analyzing the computer networks revealed in those documents.
“We wanted to take a step back and look at a whole range of cars in much less detail, to really see what was out there,” Valasek told Wired.
In their analysis, three vehicles were ranked as “most hackable”: the 2014 models of the Infiniti Q50 and Jeep Cherokee and the 2015 model of the Cadillac Escalade. The full results, summarized in the chart below, show that the 2010 and 2014 Toyota Prius didn’t fare well either. The “least hackable”? The 2014 models of the Dodge Viper, the Audi A8 and Honda Accord.
‘We’ll use shame, if necessary’
Each cars’ ratings were based on three factors, the men said: first, the size of their wireless “attack surface” — features like Bluetooth, Wi-Fi, cellular connections, keyless entry and even radio-readable tire pressure monitoring systems. Any of those connections could potentially be used by a hacker to identify a security vulnerability and gain a foothold to control the vehicle or certain of the vehicle’s systems.
Secondly, they looked at each vehicle’s network architecture and how much access the potential footholds provided to critical systems like brakes and steering.
Third, they rated what they called the vehicles’ “cyberphysical” systems and features: Capabilities like automatic breaking, parking and lane assist functions that could transform a few spoofed digital commands into an out-of-control vehicle.
“The Infiniti Q50 in particular was a model of insecure architecture,” Wired reported, citing the report’s findings. “The sports sedan’s wireless features included remote keyless entry, Bluetooth, a cellular connection, wireless tire pressure monitoring, and an Infiniti Connection system that interfaces with a ‘personal assistant’ app on the driver’s smartphone.”
“Miller and Valasek counter that they’ve shared their report with the Department of Transportation and the Society of Automobile Engineers, an industry group. Their goal is to use public pressure–and if necessary, shame–to push car companies to think about their security architecture,” the publication added.
See the complete list of 20 vehicles here: DailyMail.co.uk.