Rising fear of car hackers sparks action in Washington

Cars are not safe from hackers.

That’s what two security researchers showed this week when they commandeered a car from 10 miles away, forcing it off the road.

The demonstration, profiled in a Wired article, caught fire and made the rounds among federal agencies, Capitol Hill and automakers. It brought fresh attention to long simmering worries, prompting lawmakers and the auto industry to scramble to get ahead of the looming threat.

{mosads}“Cars today are essentially computers on wheels, and the last thing drivers should have to worry about is some hacker along for the ride,” said Reps. Fred Upton (R-Mich.) and Frank Pallone (D-N.J.), the top two members of the House Energy and Commerce Committee, in a joint statement Friday.

After years of mounting evidence that cyberattackers can remotely seize control of a car’s entire system, lawmakers and the auto industry are finally starting to act.

On Capitol Hill, two senators this week introduced the Spy Car Act, which would direct the government to create standards that shield cars from vicious hacks. Upton and Pallone recently spearheaded a letter sent to 17 automakers pressing for details on plans to bolster vehicle cyber defenses.

And on the industry side, Chrysler pleasantly surprised some security specialists on Friday by recalling roughly 1.4 million vehicles. The automaker was spurred by the Wired article, in which a reporter sat in a Jeep going 70 miles per hour as hackers manipulated the air-conditioning and toggled on the windshield wipers — before cutting the transmission.

To many, the incident was no shock. Security researchers in both the private and public sector have long been attuned to this growing threat.

It’s only inevitable as the number of digital devices explodes. Technology research firm Gartner predicts that by 2020, one in five cars on the world’s road will have some type of wireless connection.

And the past half-decade has been peppered with examples of how quickly things can go wrong for these connected vehicles. For years, researchers have shown that a car can be hijacked by any number of increasingly common features — Wi-Fi, keyless locks and Bluetooth, for instance.

“Your common criminal is getting ahold of these more technical devices,” said Brian Knopf, a software architect and chief technology officer of CUJO, a security firm focusing on defending connected devices. “Instead of jimmying open a door, they’re opening a door electronically.”

What’s remarkable, many said, is the attention the issue is now receiving on Capitol Hill and within the auto manufacturing community.

Nathaniel Beuse, the associate administrator for vehicles safety research at the National Highway Traffic Safety Administration (NHTSA) told The Hill that he was taken by the “sudden” attention on “all of this”

“We recognized this way back in 2012,” he added.

The NHTSA, he said, reshuffled its research division that year to focus on cybersecurity, long before a car’s cyber defenses was a frequent topic of discussion. It’s since been the top auto security concern for Beuse’s wing of the agency.

In fact, it was the Pentagon’s long-shot research arm, the Defense Advanced Research Projects Agency (DARPA) that funded the two researchers — Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of security intelligence at cyber consulting firm IOActive.

But the government’s resources are minimal compared to those of the vast auto industry. And many in the security community have accused major carmakers of not aggressively confronting the issue.

“They’re not and that’s the scary thing. They’re only doing it when their arm is twisted,” said Knopf, who worked with other researchers to create a “Five Star Automotive Cyber Safety Framework” on which he hopes car makers will eventually be rated.

Chris Poulin, a research strategist with IBM’s X-Force Security team who has advised automakers on building cyber defense, recalled meeting with an automaker to give security advice on several connected features it was hoping to roll out in vehicles.

The room was filled with white boards detailing all sorts of information on product development — with some notable exceptions, Poulin said.

“Security had one line on it,” he said. “That’s it”

Poulin asked the people in the room, “What’s your threat level?”

“They had no idea,” Poulin said, conceding that it’s almost impossible to know, given the complexity of newer cars.

Auto manufacturers dispute the characterization.

After months of work, the Alliance of Automobile Manufacturers, the major auto industry group, recently announced it had created a hub that would allow companies to swap data on cyber threats.

“From the first stages of design and development, automakers are working on multiple fronts to assure that cars and trucks are safe and secure,” said Robert Strassburger, vice president for vehicle safety, in a conference call.

Eventually, he added, auto supplies, telecommunications companies and technology companies would also hopefully participate in the hub.

Sen. Ed Markey wants to push the industry further.

The Massachusetts Democrat in February released a damning report that described automakers cybersecurity measures as “inconsistent and haphazard.”

His review was based on information collected from 16 car companies. Only two of the 16 companies could point to any technology that would detect intrusionin vehicles, according to the report.

“Automakers haven’t done their part to protect us from cyberattacks or privacy invasions,” Markey said when the report was issued. “Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”

This week, Markey joined with Sen. Richard Blumenthal (D-Conn.) to introduce the Car Spy Act. The bill would direct the NHTSA and Federal Trade Commission to work on a set of minimum security requirements for automakers.

The standards would ensure that all digital access points are protected and that a car’s critical systems — brakes, steering wheel, transmission — are separated from other wireless-enabled systems. Vehicles would also need to be able to detect and shut down hacks.

“I think when you look at it from a rules standpoint, there are some things you can write,” said NHSTA’s Beuse. “But you want to have as much flexibility as you can.”

While lawmakers are encouraging swift action, researchers acknowledge that car hacking is still a “minimal threat to the general public,” said Tim Erlin, director of risk strategy at Tripwire, which monitors networks for malicious activity.

Most agree it won’t become a common issue for another one to three years. Hackers don’t have sufficient financial motives right now.

But it’s feasible car passengers will soon be able to making banking transactions or Amazon purchases through apps on their car’s on-board computer.

“The trigger point,” Erlin said, “would be any time that that vehicles start storing or processing or transferring data that’s of value that could be stolen.”