You might remember the infamous Jeep hack last year, in 2015. In a scary demonstration, Charlie Miller and Chris Valasek demonstrated their ability to remotely control almost everything, including steering and braking. They could even kill the Jeep’s engine. The hack was done 10 miles from the car – and could have been performed from up to 70 miles away!
Their technical whitepaper gives the details. They actually found a few ways to hack into the car, including via its WiFi service, but the most productive way was via the car’s telematics system. Telematics systems are used for real-time vehicle tracking, safety communications, fleet management – anything that requires remote access. The system connects to a cellular (mobile) network to transmit and receive data.
Unfortunately, the Jeep’s telematics system was listening for incoming connections on port 6667, and anyone who could determine the car’s IP address could connect and control the car! This could be done from anywhere, as long as they were on the same cellular network.
The only minor difficulty was determining the car’s IP address. It turned out the cars using this particular system (Uconnect) were allocated an IP address from a particular block of IP addresses. These were easily scanned for a response to a connection attempt on port 6667.
Based on the number of vulnerable vehicles found during scanning, Miller and Valasek estimated up to half a million vehicles were vulnerable across the US. Their research ended up prompting manufacturers to recall 1.4 million vehicles!
In March 2016, the FBI issued a public service announcement about vehicle hacking. They provided some sensible advice about minimising the chances of this happening. This advice includes keeping vehicle software up to date, and being cautious with third-party devices connected to your vehicle.
These are ominous developments. Over the last two decades we’ve become used to the idea of computer security, and many people use anti-virus software on their home machines. We’re aware that we need to be careful, and the consequences of a hack could be having our bank accounts emptied or our credit cards abused.
We’ve even become used to the idea of smart TVs, with them auto-updating their software and being constantly connected to the Internet. Few people have had any issues with their TVs being attacked, although surely that is coming.
However vehicle hacking is another level altogether. The consequences could be immediately life-threatening. Anyone familiar with the darker side of the Internet would have little doubt that somewhere there are individuals who would find it entertaining to cause car crashes remotely.
But like with the Internet of Things that is inexorably making its way into our homes, we have little control, and no option other than to trust vehicle manufacturers. Unfortunately, trust between manufacturers and consumers has been completely shattered by the VW debacle. Given the inherent risks, perhaps there needs to be an independent body responsible for certifying car security design. In a few years time, self-driving vehicles may be ubiquitous, and the need for security will be far greater than it is today.