Once a vehicle’s internal computer network is hacked, the hackers would be able to tamper with key functions

Car hacking should be considered a national security issue, as hackers can “kill millions” of people using hijacked cars, warned an expert.

Deaths are inevitable within five years if car manufacturers do not rush to solve cybersecurity issues and fix vulnerabilities in technology, Justin Cappos, a computer scientist at New York University, was quoted as saying to thetimes.co.uk on Monday.

“Any car built since 2005 could be controlled remotely by hacking with some cars built as long ago as the year 2000 also at risk. Hackers could already be causing accidents without the authorities realising it because no one was looking for the evidence,” Cappos said.

“If there was a war or escalation with a country with strong cyber capability, I would be very afraid of hacking of vehicles.”

Once a vehicle’s internal computer network is hacked, the hackers would be able to tamper with key functions, including the braking system, power steering and locking mechanisms.

“Many of our enemies are nuclear powers but any nation with the ability to launch a cyber-strike could kill millions of civilians by hacking cars. It’s daunting,” Cappos said.

In 2015, cybersecurity experts had in a shocking revelation said that there were a series of bugs in Chrysler’s Jeep Cherokee, which could take control of the car’s dashboard, locks, brakes and windscreen wipers.

As a result, Fiat was forced to recall 1.4 million vehicles in the US for updates.

Industry bodies have however, thwarted Cappos’ claims, saying that work is already well underway to help prevent major hacks from taking place.

“Billions are invested to stay ahead of criminals and new cars have never been more secure,” a spokesperson for the UK’s Society of Motor Manufacturers and Traders was quoted as saying to the ibtimes.co.uk on Monday.

Rob Wainwright, the executive director of Europol, tweeted: “is clearly a big issue but it’s unlikely to be taken seriously by sensationalist comments like this.”

Nevertheless, car hacking can pose a serious risk in the coming years as in recent years, multiple road vehicles have been found to be susceptible to cyberattacks.

In March 2016, an investigative report produced by International Data Corporation (IDC) and commissioned by security firm Veracode found that it could be years before adequate cybersecurity protections are put in place.

“The industry is just beginning to debate cybersecurity issues surrounding connected cars. Manufacturers (said) that it will be one to three years before connected car systems are implemented with full consideration of such concerns,” the report found.

 

CNN MONEY – Your car is a giant computer – and hacking it is possible…

Imagine driving down the highway at 70 miles per hour, when suddenly the wheel turns hard right. You crash. And it was because someone was hacking your car.

It’s not far-fetched science fiction. It’s the near-term future today’s hackers are warning about.

Most people aren’t aware their cars are already high-tech computers. And now we’re networking them by giving them wireless connectivity. Yet there’s a danger to turning your car into a smartphone on wheels: It makes them a powerful target for hackers.

Interviews with automakers, suppliers and security advisers reveal a major problem with the new wave of “connected” cars: The inside of your car has ancient technology that presents a security risk.

  • The 50 to 100 tiny computers that control your steering, acceleration and brakes are really dumb. They rarely conduct authentication, checking whether that message is really coming from you. An outsider can send them commands.
  • The computer code in cars is outdated. It’s similar to the on/off switches used in industrial controls. It’s easily manipulated.
  • Much like the human central nervous system, every electronic part inside a car is connected to a central spine. Tap one part, you can likely reach any other.

“The protocol and internal parts of the car were never meant to be connected to anything,” said Joe Klein, a researcher at security firm Disrupt6.

Cars’ computers were built safely enough back in the 1990s, when the car was a closed box. But their architecture won’t hold up as we hook them up to the Internet.

Consider the level of complexity of modern day cars — and the chance for a screw up. The space ship that put humans on the moon, Apollo 11, had 145,000 lines of computer code. The Android operating system has 12 million. A modern car? Easily 100 million lines of code.

“Auto manufacturers are not up to speed,” said Ed Adams, a researcher at Security Innovation, a company that tests the safety of automobiles. “They’re just behind the times. Car software is not built to the same standards as, say, a bank application. Or software coming out of Microsoft.”

The nightmare scenario: Hackers access your car’s core controls by breaching its Internet-connected entertainment system and tamper with your brakes.

Hackers have already proven that scenario can happen. Security engineers Charlie Miller and Chris Valasek demonstrated last year how they could hijack control of a car by connecting laptops to the dashboard.

But cars are going wireless. The next generation of Audi and Tesla (TSLA) automobiles are connected to the AT&T (T) network. Wires won’t be needed to hack them.

Meanwhile, there’s a growing potential for car malware. Makers of “infotainment” systems — dashboards that function like a tablet — are racing to add fun apps. But if automobiles’ internal electronics remain insecure, downloading a malicious app to your car could spell big trouble. That’s why auto suppliers are taking initiative.

Harman (HAR) makes Bluetooth audio devices that end up in BMWs, Hyundais, Mercedes-Benzes and others. The company is adding its own layers of security by using software to virtually separate the entertainment system from the car’s network. It raises the bar of difficulty for a hacker to use a music app to worm his way into your steering controls.

Sachin Lawande leads Harman’s infotainment division and justifies its initiative: “The assumption we’re making is that it’ll take a while for the auto industry to move to a more secure internal network than what we have today.”

Continental, one of the world’s three major auto parts suppliers, is partnering with IBM (IBM) and Cisco (CSCO) to make firewalls that control the information flow between the car’s devices. Until it gets security all figured out, the German company is holding back from adding full Internet connectivity features, such as real-time information from the engine that alerts the local car shop ahead of time.

“Without having a good firewall or security in place, I can’t go to the auto manufacturer and say, ‘Let me have access to information from engine management,'” said Tejas Desai, Continental’s head of interior electronics for North America.

For their part, car manufacturers are working on these problems too.

Ford (F) hardware has built-in firewalls to prevent malicious tampering, and the company has a team of noble hackers constantly probing for weaknesses.

Toyota (TM) does all that too, plus it embeds security chips in the tiny computers throughout the car, narrowing how they communicate and lessening the chance of outsider interference. The company even has forward-thinking plans this year to visit the world’s largest hacker conference, Black Hat.

It should be no surprise that Tesla (TSLA) is ahead of the pack. The Model S is the most advanced and connected car currently available. It’s worth noting the company’s mature approach to addressing vulnerabilities. Instead of hunting down hackers who spot weaknesses, they reward them with an “Information Security” badge that works like a Willy Wonka golden ticket, granting exclusive access to Tesla’s factory in Fremont, Calif. The company recently sent one to a British hacker who goes by Jon of Bitquark.

But there remains a glaring, three-prong problem beneath all of these security approaches. The car’s many little computers will continue to be connected to one another. All auto makers are moving toward Internet-connected cars. And no one is willing to physically separate the core controls from the car’s wireless communication hub.

That’s partly because federal regulators will soon demand that cars automatically relay information wirelessly to one another as part of the U.S. government’s vehicle-to-vehicle communication program. Those car-to-car messages will one day be able to engage brakes — or your steering wheel.

If decades of computer hacking has shown us anything, it’s that smart people will find a way to break in and bounce around.

Scott Morrison, who oversees automotive app engineering at CA Technologies (CA), acknowledged all of these problems exist and said the industry knows what’s on the line.

“They’re very aware they don’t get second chances on this, so they’re taking it very seriously,” he said.

 

Hacking flights, Computer expert hacked into plane and made it briefly fly sideways, according to FBI

A computer security expert was hacking into a plane’s in-flight entertainment system and made it briefly fly sideways by telling one of the engines to go into climb mode.

Chris Roberts of One World Labs in Denver was flying on the plane at the time it turned sideways, according to an FBI search warrant filed in April.

The warrant was first publicized on Friday by APTN, a Canadian News Service.

Roberts told the FBI he had hacked into planes “15 to 20 times,” according to court documents first made public on 15 May.

Roberts first made news in April when he was told he couldn’t fly on United Airlines because of tweets he had made about whether he could hack into the flight’s onboard computer settings.

The FBI search warrant describes him doing just that.

According to the document, in an interview on 13 February, 2015, Roberts told agents he had hacked into in-flight entertainment centers on Boeing 737s, 757s and Airbus A-320 aircraft “15 to 20 times.”

The warrant describes how Roberts would wiggle and squeeze the Seat Electronic Box under his seat, which connected to the plane’s in-flight entertainment system, or IFE.

He would then connect a cable to the box and connect it to his computer. From there, Roberts was hacking into the plane’s Thrust Management Computer using default IDs and passwords.

He overwrote computer code for the planes’ thrust management computer, which he told agents allowed him to make the plane climb on his command.

At least once, according to the document, he told one engine on a plane to climb, causing the plane to move sideways as it flew.

Roberts also used software to monitor traffic from the cockpit, according to the search warrant request.

Roberts is a well-known and respected expert on computer security. He told the FBI he was furnishing the information “because he would like the vulnerabilities fixed.”

FBI agents had spoken with Roberts several times, according to the document. They told him that accessing an airplane network without authorization was a violation of federal statues.

Roberts told them he understood and that he would not be hacking into any more airplanes, according to the document.

On April 15, Roberts flew United from Denver to Chicago. On the flight, he tweeted about the possibility of accessing the plane’s In Flight Entertainment system.

The FBI sent an agent to inspect the flight when it arrived in Philadelphia, where it had flown after Chicago.

The agent inspected the Seat Electronic Box below seats 2A and 2B and found evidence of damage and tampering.

Roberts flew from Chicago to Syracuse, N.Y. When he arrived, FBI agents took him into custody and seized as digital evidence his computer, hard drives and other gear he had with him.

The search warrant application was for permission to search Roberts’ computer gear.

Roberts has not been charged with any crimes.

Requests for comment from the FBI, United Airlines and Roberts’ company produced no immediate response.

This article is sponsored by:

GDPR certified

Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit  GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious businesses – It Pays Off!