Remembering to lock your car door isn't enough to protect it entirely. With new digital interfaces—and that slick Bluetooth connection—cyber-physical systems like modern cars and smart grids are increasingly vulnerable.
An Engineer’s Perspective on Car-Hacking, Q&A with Steven Goldsmith
Cybersecurity in cars made several headlines last summer. Charlie Miller and Chris Valasek’s car hacking research made for a viral WIRED article when they remotely took over a Jeep Cherokee on the highway; Bloomberg Business covered these vulnerabilities in a video interview at the Def Con hacking convention. At Michigan Tech, cybersecurity is an integral part of many researchers’ work. Steven Goldsmith, a research professor in mechanical engineering, started a new graduate course on automotive cybersecurity this fall and spoke with me about his work.
AM: What is new about the hacking that led to the WIRED article?
SG: When I read the article, I wasn’t surprised about anything, first of all, and these two people have done this before. What was interesting this time, is that they hacked into the car through its remote, wireless connection; in their previous research, they connected a computer directly to a standard diagnostic port.
Now, they’re not the first to do this. There has been scholarly work done in the automotive area for over decade. So, while it’s dramatized in the WIRED story, I don’t think it’s substantively wrong—I believe they were able to do what they did.
AM: What scares us about car hacking more than other cybersecurity risks?
SG: The most dangerous scenario is that a vehicle is hacked in order to produce a lethal crash. The results of cyberhacking on automobiles have physical effects, creating what essentially becomes a missile on wheels that we drive around in public. So the serious issue with hacking into automobiles is the energetic end effect, unlike breaking into a credit card account, which is annoying but not necessarily injurious or fatal.
But there are a lot of scenarios that come to mind—some sound like they’re out of an action movie. But many are more mundane. For instance, most people connect their smart phones to a newer car model to play their favorite music. But the car’s wireless network is another entry point for hacking malicious code into the smart phone.
AM: In a car, what is the weakest link?
SG: That remains to be seen. But once cars are operating on a public wireless network, you have a broad “attack surface.” That’s the mode and entry point into the car’s computers and software that a hacker uses. In the future, when there is a ubiquitous wireless communication network involving vehicles the remote, wireless attack surface like the one used in the WIRED article will be a threat to hundreds of thousands of vehicles.
Now, hacking into a car is much harder than hacking into a home computer. The complexity of the vehicle computing systems is extremely high already and that means it takes experts to hack into them. But that also means it takes sophisticated means to protect the systems and to analyze the potential attacks.
AM: Preventing hacks takes extreme measures and costs—like embedding security features into the materials themselves. We effectively manage risks without that in computers and other devices, so what’s different about vehicles?
SG: In the cyber world, there’s an attack, then people analyze the malicious codes and come up with the patches to inoculate the vulnerable systems. Those patches are what you download when you update your software in your computer.
For automobiles, tracing an attack and determining if it has erased its tracks is highly technical and car manufacturers hold that information very closely. Software liability in the Internet world is basically non-existent; but that’s not the case for cars. Following the WIRED article, Chrysler patched over a million vehicles because of the security flaw—it was a watershed moment in the automotive-cyber realm. Patching and recalls are expensive and, unlike in the traditional software industry, such flaws are the responsibility of the car manufacturer.
You can take computer software patches and download them pretty easily for your home computer. But how do you handle patch management for your car? It’s hard to imagine a vehicle going through that patch download process as intensely as say Windows had to over a decade ago when computer hacking incidents intensified. It’s very disruptive for both manufacturers and users and affects the entire automobile life cycle - from making to buying to driving a modern vehicle.
AM: What do we do about the cybersecurity challenges in the automotive industry?
SG: Well, it’s an on-going process, like fighting crime. You’re never going to completely eradicate crime, and you have to have a police process and judiciary process to deal with that. And I think there are a lot of researchers in the [cybersecurity] field who have come to that conclusion.
For my colleagues at Michigan Tech and me, education is the most important tool. In our automotive program, we’re training people to understand modern propulsion units and controls, plus computers and communications features in cars are proliferating—yet cybersecurity is not a common part of curriculums. We will be offering a new online graduate course starting in the Fall 2016. Educating our engineers, both in school and through continuing education, is critical.
That will help us build automotive systems with inherent cybersecurity. Car manufacturers will need to create their own cybersecurity organizations and hire people with the right skillsets. Being able to proactively design in cybersecurity features and control systems has to become part of company culture. Most manufacturers have done this, but to varying degrees.
It has become absolutely necessary for manufacturers to consider the public’s perception of the safety of a vehicle that is vulnerable to cyber attack. Cyber attacks are very much in the public eye, and consumers as well as the insurance industry will take the cyber-safety connection very seriously.
Michigan Technological University is a public research university, home to more than 7,000 students from 54 countries. Founded in 1885, the University offers more than 120 undergraduate and graduate degree programs in science and technology, engineering, forestry, business and economics, health professions, humanities, mathematics, and social sciences. Our campus in Michigan’s Upper Peninsula overlooks the Keweenaw Waterway and is just a few miles from Lake Superior.