The CIA documents leaked by WikiLeaks recently seemed to have shown that the intelligence agency may be able to take control of cars remotely, and WikiLeaks even suggested this could lead to assassinations.
We’ve asked some of the major car companies how they protect their customers against this type of attacks against their existing cars, but also how they plan to protect the more digital autonomous cars of the future. We’ve received full responses only from Daimler (Mercedes-Benz), BMW, and Hyundai.
Volkswagen told us it doesn’t comment on such matters, including about the security of their cars. The company has also previously tried to legally gag (PDF) a security researcher from speaking out about some of the security issues with their cars that allowed car thieves to steal them more easily.
On Alleged Assassination Attempts
This is a highly sensitive topic, but it’s not a huge secret that the CIA has been involved in assassinations throughout its history. WikiLeaks didn’t show any actual proof that the CIA assassinated anyone by taking over their cars, but that doesn’t necessarily mean it hasn’t happened. There’s just no proof either way. Regardless, the risk for assassination attempts may still exist, if not from the CIA, then potentially from other malicious hackers or spy agencies.
Cars will only become more connected to the internet and more “digital,” in the sense that more of their components will be controlled by software. Autonomous cars will be completely controlled by software, which means every part of them, including the engine, brakes, and steering systems could be potentially attacked through software vulnerabilities. As such, many people will likely want to be reassured that such attacks won’t even be possible before riding in an autonomous vehicle in the near future.
All three car makers we spoke with denied any knowledge of any assassination attempts through the remote control systems in their cars.
On Remote Control Capabilities
We don’t yet have fully autonomous cars that are completely controlled by software, but automakers have continued to increase the range of remote capabilities in their cars over the past several years. This could expose the cars to a higher risk of being hacked over the internet.
Mercedes cars, for instance, have remote access capabilities that allow the owner of the car to unlock and lock the doors remotely, over the internet. This may expose Mercedes owners to car robberies, but this feature alone probably won’t put anyone’s life in danger. A Daimler representative also said that Mercedes cars have extensive anti-theft features.
BMW said that its customers can remotely locate their cars, turn on the air conditioner, open and lock the doors, and even sound the horn (presumably to help car owners spot their cars in a large parking lot). BMW said that the driving wheel can’t be remotely steered, and that the remote functions are separated from the safety-relevant subsystems.
The BMW cars seem to have the same risk of robbery as the Mercedes cars, while also opening its customers up to location tracking by potential attackers. Some researchers have shown recently that such malicious location tracking is possible with some of Nissan's cars.
According to a Hyundai representative, the company’s Blue Link telematics (long-distance transmission) system includes features such as:
- Remote Door Lock / Unlock
- Remote Horn and Lights
- Remote Start with Climate Control (Requires push button start)
- Car Finder
- Stolen Vehicle Recovery
- Stolen Vehicle Slowdown
- Stolen Vehicle Immobilization
- Alarm Notification
- Curfew Alert
- Speed Alert
- Valet Alert
Beyond the risks we’ve already discussed for the other two manufacturers, the one remote feature that could be potentially dangerous is the “Stolen Vehicle Slowdown.” Hyundai’s website describes the feature as cutting power slowly to safely stop the vehicle, so at least in theory, an attacker shouldn’t be able to cause too much damage with it. However, it’s not clear whether or not the feature could be modified to cause a more abrupt stopping of the vehicle, which could put the life of whoever is behind the wheel at risk.
Hyundai also said that no critical safety features can be accessed remotely, and that it does not support over-the-air updates for its control systems.
On Car Security Systems
Daimler said that it employs cross-divisional security officers to ensure a more holistic approach to security for its cars. The cars use security mechanisms such as public key cryptography, certificates, firewalls, virus scanners, and protocols such as TLS, IPSec, WPA2, and others with algorithms and key lengths that are recommended by the German Federal Office for Information Security. The development of the security mechanisms continues for the entire lifecycle of a vehicle and is certified by both in-house and third-party security experts.
"All our vehicles have extensive security and anti-theft systems. Data security, data privacy and anti-theft protection are important elements of our research and development activities," said a Daimler spokesperson.
"When advancing our protection mechanisms, we take into account the latest know-how regarding criminal methods and attacks on security systems. Nevertheless, there is no absolute, "100%" security. But we develop our systems to ensure they are state of the art – certified by in-house and third-party experts – and continuously work on further advancing all components."
After being caught a few years ago with sending unencrypted updates to its cars, BMW seems to have learned its lesson, and it’s now using both encryption and authentication for all long range connections. The company also mentioned that its electronic control units (ECUs) for telematics use firewalls and filters that enforce access policies. In addition, the cars are not addressable via the public internet, according to a BMW representative.
When we asked whether the company uses security-by-design principles, this is what the company answered:
BMW generally follows a security-by-design oriented development process which identifies security requirements in the early phases of the development, and implements them accordingly.
To validate that these security requirements are correctly implemented and no vulnerabilities can be used, BMW applies security tests along the development process. BMW supports best practice approaches and the development of industry standards for secure system design.
Hyundai didn’t give too many details about its security systems, saying only that its cars use multiple layers of security to protect its vehicles and data.
"Hyundai constantly works to protect our customers and their vehicles. Hyundai continues to test and study how to further secure our vehicles from any cyber-attack," said a Hyundai representative.
On Bug Bounties
We’ve also asked all of the car companies that we’ve contacted whether or not they intend to implement a public bug bounty program to show their commitment to software security. Only two have started bug bounty programs so far: Tesla and Fiat Chrysler (U.S. division).
Bug bounties are important because they bring outside eyes to look at the cars from a different perspective. Even if the car companies hire one or two third-party security teams to analyze the code, they may still miss some flaws that dozens of other independent security researchers may not. None of the three car makers that answered us gave any indication that they plan to launch bug bounties soon.
On Security Of Upcoming Autonomous Cars
Not much information was revealed about the security of autonomous cars, as those are still a work in progress. However, it’s expected that much of the security architectures that exist in these companies’ latest and most modern car models will transition to autonomous cars, as well.
Right now, most if not all of their critical safety systems are isolated from the internet, but this could change for future autonomous cars. As more components become digitally controlled, car makers will want to be able to deliver constant updates (“car as a service,” if you will).
For instance, we’ve seen Tesla update its cars’ engines over-the-air to increase acceleration. Although the company received much praise for being able to accomplish such a task over-the-air, it also means that an attacker could send a similar update that takes over the engine or blocks the owner from driving it (ransomware).
Of course, such an attacker would also have to bypass Tesla’s own security checks, but if Tesla can modify critical components of a car over-the-air, then, at least in theory, it should be possible for a more sophisticated attacker to do the same. Also, although Tesla is probably one of the more security-conscious car companies out there--proof being the fact that it has a bug bounty--its security systems haven’t exactly been bulletproof.
The good news is that the autonomous driving platforms are just now being built, so all car makers have an opportunity to build them with strong security in mind. Security is best when it’s done by design and from the ground up, but also when it's followed up with constant audits and timely patches.
Some of the car makers may still believe that security is not as important as ensuring that the cars drive themselves safely, and that being able to promote self-driving capabilities for their cars should take priority.
This is definitely a debatable argument, but the car companies should also consider the fact that if their autonomous cars prove to be hackable, then they’re only going to attract more attention from malicious hackers, as well as negative press reports. This could ultimately lead to more attacks, not to mention lower sales.
People may not want to be driven by autonomous cars that they know are hacked often, even if the company that makes the car promptly patches security flaws after they're found. In such types of hacking, that’s still too late for the potential victims of the hacking attacks.