Can a hacker seize control of your car? What’s the worst that could happen? The answers are yes, that could happen someday, and the result could be plenty bad.
A Michigan company is working on ways to improve the cyber security of cars.
For lots of people, a report from WIRED magazine in 2015 was the first time they’d heard that hackers might be able to operate their cars remotely.
One software firm trying to get ahead of those who would exploit these weaknesses is NNG, an Israeli company based in Hungary with operations in Michigan, in partnership with a startup called Arilou Cybersecurity.
WKAR's Scott Pohl recently met up with Arilou founder Ziv Levi and NNG U.S. Sales Director Jeff Rehm. They climbed into a 2017 Jeep Cherokee. These guys aren’t out to pick on Jeep; lots of vehicles have the same vulnerabilities.
With Pohl behind the wheel, Rehm remotely takes control of the vehicle with a laptop while Levi’s laptop thwarts the attack.
In the first of three demonstrations, Rehm messed around with the climate controls. Pretty harmless.
The second hack could have more serious consequences. "We will be taking control of the steering column, including the steering wheel controls," Rehm explains. "When we do that, that allows us to take control of the cruise control." When the vehicle speeds get above 20 miles per hour, the hacker can engage the cruise control and arbitrarily start changing the speed of the vehicle, with no input from the driver.
For this demonstration in a parking lot, the car doesn't move, so the cruise control isn't engaged, but Rehm is able to turn signals on and off until Levi blocks the attack.
The last demonstration is a denial of service attack, where the car’s computer is flooded with nonsense instructions. Overwhelmed, the vehicle shuts down. This time, the car does creep forward. With the car moving slowly, Rehm begins the denial of service and the vehicle drifts to a complete stop.
Levi and Rehm say that a car’s brakes are more powerful than the engine. In a real world situation, the driver could apply the brakes and stop the car.
Levi says most attacks have a financial motive, such as disabling your car until you pay a ransom.
Personal information could also be obtained; maybe your car downloads your smart phone’s address book, or tracks your destinations.
Levi concludes that the NNG-Arilou technology has been independently tested at the University of Michigan Transportation Research Institute to see that it not only prevents cyber attacks, but also doesn’t mistake legitimate communications as an intrusion. "Our system achieved amazing performance on these testings," Levi states, "and we believe it's a very important milestone."
Competition in preventing cyberattacks is heating up, and automakers are showing a great deal of interest. Legislation requiring protective software may be coming, but the auto companies aren’t waiting. These officials from Arilou and NNG think software like theirs could be made mandatory within a year or two.