Many new cars can be turned on and off with a tap of a smartphone. Others can apply the brakes while a driver is distracted, park themselves and maintain safe distances from surrounding vehicles. But with their increasing reliance on electronic controls, cars open themselves up to malicious manipulation.
As researchers from the University of California San Diego and Washington University proved in 2010, hacking a car's electronics system is not only possible, but in some cases quite easy. The scientists successfully tapped into a car's electronic control module (ECM), which interfaces with most of a car's dynamic systems, including engine, transmission, traction controls and braking systems. By doing so, they were able to tinker with combustion rates and even completely disable the engine. Further tests showed that they could render brakes useless, even while the car was running at 40mph, as well as keep a car running when it was turned off. Their testing culminated with a full system shutdown: the horn at full wail, doors locked, automatic-unlock buttons disabled and engine shut off.
NHTSA's concern is that hackers could wreak similar havoc over wireless connections. "Whether the entry point into the vehicle is the internet, aftermarket devices, USB ports or mobile phones, these new portals bring new challenges," Strickland said in his remarks.
So-called vehicle-to-vehicle (V2V) and vehicle-to-grid (V2G) communication technologies, as well as the advent of semi-autonomous vehicles, present additional layers of intrigue. NHTSA is currently testing self-driving cars and recently established standards for a car's level of automation. As vehicles take over more decision-making processes and communicate with each other, the administration is trying to set standards for how these communications occur.
NHTSA can compel automakers to follow standards only under certain conditions, and it is unclear whether its efforts would stifle innovation or have any measurable effect on automakers’ product strategies. The contradictory impulses in the debate are most clear in states like Nevada, California and Florida, which permit self-driving vehicles, yet in a policy statement released last month, NHTSA said it did not recommend “that states permit operation of self-driving vehicles for purposes other than testing."
There is consensus, however, around how to safeguard against potential hacks of increasingly networked passenger cars. Automakers must acknowledge the potential threats to their vehicles – and those vehicles’ purchasers – and move to safeguard their systems. Meanwhile, the government must ensure these protections are put in place. But with NHTSA only setting up its electronics division to focus on those issues in the past weeks, a lack of urgency may be the greatest immediate threat to drivers.
Limitations first: hackers cannot magically gain control of a car. While cars are increasingly computerized, not every system involved in driving is hooked up to external controls. Let me repeat that for clarity: in almost every car currently on the road, it's impossible to hack the steering. A hacker trying to kill someone via car can't just take over and pilot the vehicle into a tree or off a cliff.
Attacks that irritate or confuse the driver.Researchers demonstrated that hackers could permanently activate the car horn, shoot windshield wiper fluid continuously, disable headlights, falsify the speedometer reading, increase radio volume, and turn off auxiliary lights. In testing, none of these attacks could be stopped by a manual override--which might be enough to cause a car accident on a dimly lit road at night. Alternatively, a well-timed burst of full-volume sound with cut lights and a wiper-fluid-obscured windshield could provoke a sudden accident, but that's a lot of effort and leaves a lot to chance. Mucking about with the speedometer can cause problems, though a driver who can roughly keep up with traffic will be able to get by without it. Most likely result of these attacks? A driver would be annoyed, pull over, get out of the car, and have a long weird call with AAA.
Attacks that change the speed of the car.Far deadlier are hackers manipulating brakes. In testing, the researchers demonstrated an ability to engage the left and right brakes of a car independently, as well as unevenly engaging right side brakes, and perhaps scariest of all, release all brakes and prevent braking. That, more than anything else, provides the real risk in a car hacking attack. A car that can't brake is a hazard, straight-up, to the driver and everyone around them, but it's not necessarily fatal unless it's so well timed as to be a scripted moment in a Hollywood film.
While car hacking is potentially deadly, it's a really, really uncertain way to attack someone. The effort involved in finding, hacking, and monitoring the car, and then picking the exact right moment to disable the breaks, make such an idea more like "Enemy of the State" than a real threat. It's complicated and probably requires a surveillance team. Bullets are a usually but not always more reliable means, and they require much less planning and coordination.
Failing that, there's always the option of poisoning by polonium-210, most famously used against an ex-KGB agent in London in 2006. If a car must be used, car-bomb assassinations have precedent both in the United States and abroad.