The bomb exploded as the car
reached the intersection of Park Place and Forest Park Boulevard in Fort Worth,
Texas. The explosion was loud enough
to be heard at an elementary school a couple of blocks away, and I was one of
several students who got to the scene before emergency crews had cleaned it
up. From the front doors rearward
the car looked nearly normal, but there was just a blackened pile of junk where
the front end used to be. The
driver was killed instantly. From
what I recall, later investigation of this mid-1960s incident turned up ties to
organized crime, and I'm not sure but what the criminals put the bomb in the
wrong car. Even the Mafia makes
mistakes.
To commit that crime, someone
had to make a powerful time bomb and gain physical access to the car in order
to plant it. In the near future,
it will be logically possible to wreck a car and kill the driver without ever
laying a finger on either one.
Once wireless networking and Bluetooth communications are integrated in
new models of automobiles, a sufficiently dedicated hacker might be able to
wrest control of the car from the driver and do anything he likes, including
driving the car off a cliff or into a gravel truck.
So far as anyone knows, no one
has committed a successful crime by hacking into a car's software. On the other hand, automotive software
hacking for benign purposes has been around for a decade or more. While teens of an earlier generation
would get greasy in a garage staying up till midnight to hop up a '57 Chevy for
drag racing, today's hot-rodders hack into the valve-control software and tune
up the timing to suit their purposes.
The keyhole for this activity is the OBD-II port—the place an auto tech
plugs a computer into your car to diagnose why your check-engine light is
on.
In a demonstration for the U. S.
military, cyberhackers showed how they could use the port to exert virtually
total control over a current-model car, locking the brakes or even killing the
engine. This kind of hacking
requires extensive knowledge of the car's software and a good deal of reverse
engineering, so it is currently not cost-effective for the bad guys to do
it. And with non-networked cars,
it still requires physical access to the car. But automotive-industry leaders are trying to anticipate the
day when new cars are totally networked and become part of the Internet, which
will open them up to attacks from anywhere in the world.
According to recent press
reports, automakers are organizing an automotive version of an Information
Sharing Advisory Center (ISAC), similar to the ones that the banking and other
information-critical industries have formed to promote the sharing of news
about cyber-threats among competing firms and to develop countermeasures
fast. Just as significant as their
actions is the fact that they are publicizing their actions. One could speculate that the car
companies are trying to send a signal to potential automotive cyber-attackers
that the industry is not sitting idly by, waiting for the first fatality before
something is done to prevent such attacks. Instead, they are putting defenses in place well before any
attack occurs—a sound military tactic.
There may be a lesson here about
the tendency of organizations to lose effectiveness with time. Computers have been used in cars for
less than a generation. But cars
have had ignition keys for close to three generations. The GM ignition-switch failures, with
their resulting fatalities and massive recalls, stem from the negligence of
engineers who have been doing basically the same thing since the 1930s,
although the details have certainly changed over the years. But the engineers in charge of computer
security have grown up in an environment where hacking and cyberattacks are an
ordinary part of life, and to pretend otherwise would be a mark of
incompetence. So it is no great
surprise to hear that car companies are trying to get ahead of computer
criminals by forming an ISAC.
Even so, you can imagine
situations in which the mere threat of such an attack would be profitable for
criminals. Say you're the CEO of
UPS, and one day near the peak Christmas-shipping season you get an email
instructing you to deposit two million dollars in a certain Swiss bank account
by a certain time. If you don't,
the sender promises to throw a digital monkey wrench into your entire fleet of
trucks, all at once. The CEO would
at least have to take such a threat seriously.
I feel like taking a mental bath
after putting myself into the mindset of a cybercriminal that way, but
unfortunately, that is what competent computer-security people have to do in
order to come up with ways to thwart such attacks. The only sure defense against such blackmail is to have enough
encryption and other measures in place so that no conceivable attack will stand
a good chance of working. There is
always a chance that some evil super-genius will figure out a way to hack the
best defenses, but statistically, such people are rare and most cyber-threats
involve only the average amount of cleverness.
The organizers of the first
automotive ISAC are to be congratulated for their foresight in anticipating
what could be a really messy and dangerous problem, and I hope that automotive
cyberattacks are prevented before they can even get off the ground. But no one knows exactly how cars will
interact with the Internet in the future, and depending on how the systems
develop, the best efforts of the good guys may be foiled sooner or later by a
bad guy. Let's hope that day is a
long way off.
Sources: Justin Pritchard's report on the
organization of an automotive ISAC and successful test attempts at automotive
cyberattacks was distributed by the Associated Press and carried by numerous
news outlets such as ABC News on Nov. 25, 2014 at http://abcnews.go.com/Technology/wireStory/computer-hackers-dissect-cars-automakers-react-27132494. The online edition of Auto News carried
another report from a Society of Automotive Engineers conference announcing the
formation of the industry's first ISAC, at http://www.autonews.com/article/20141021/OEM11/141029957/auto-industry-forming-consortium-to-fight-hackers. My blog on the GM ignition switch
recall appeared on June 9, 2014 at http://engineeringethicsblog.blogspot.com/2014/06/the-switch-from-hell-gms-barra-and.html.
No comments:
Post a Comment