Cars Aren't Target for Hackers; They're Gateway to Higher-Profile Attacks

Cars themselves won't be the end game for hackers in the near future, a leading cyber-security analyst said Tuesday. Instead, they'll be used as mobile gateways to hack more prominent targets.

"My biggest fear is we'll see an example of an attack where a car was used to hack into something else," Dr. Anuja Sonalker, lead scientist and program manager at Battelle, tells Autoblog. "All the pieces are there. It's a matter of time."

She spoke at a conference sponsored by the Center for Automotive Research, at which industry leaders sought answers for these cyber attacks following a spate of high-profile problems that have cropped up in recent months.

So far, vehicle hacks have remained within the realm of white-hat researchers, who have demonstrated the ability to remotely control critical safety functions like steering, braking and acceleration, as well as unlocking doors and overriding driver inputs.

Real-world attacks on cars have not yet occurred, experts say, at least partially because the research is both time-consuming and expensive. It can take months of intricate planning to infiltrate a single car, and for hackers with malicious intent, there's ultimately little incentive.

But Sonalker and others foresee trouble. Security vulnerabilities in today's cars provide hackers with attractive entry points, and the connectivity automakers are rushing into their fleets outfit them with the means to spread their malware elsewhere.

"They're trying to springboard off into launching something bigger," she said. "Nobody is going to hold it against you now that your car is hackable. It's understood that it is. Now it's about how do we protect the ecosystem around it, because if we can't, it's going to lead to large-scale disastrous effects."

New Targets, Same As Old Targets?

Sonalker has studied the problem for the past two-and-a-half years at Battelle, a national nonprofit research and development organization based in Columbus, OH. While white-hat researchers have identified cyber threats in individual industries, she's in a unusual position because she can see how they potentially fit together across fields.

In a modest attack scenario, she believes hackers will use cars as the point of origin to carry out attacks against the same high-reward prey seen in the headlines today. Attacks against the likes of Target, Anthem and Sony will simply be carried out via the connected car.

It's that connectivity that complicates things. Even if automakers design their cars with the best-possible armor, the security measures are often only as useful as the security on the smartphone a driver brings into the car.

"There's a lot of functionality through apps on your phone," said Praveen Narayanan, research manager at Frost & Sullivan. "Today, that's the first point of attack."

For example, if a motorist pairs a smartphone with Bluetooth, researchers believe a hacker could use banking information on the phone to breach security at a banking institution.

While financial motivations may lie at the heart of many cyber attacks, the car does present more malevolent opportunities beyond money.

Targets Range Beyond Vehicles

Electric vehicles are plugged into both private and public chargers, and security measures may be inadequate to protect infrastructure from problems. Could a black-hat hacker disrupt a regional power grid if they navigate those connections?

"You have an infected car connected to infrastructure in a legitimate way," Sonalker said. "It has legitimate access to that infrastructure. So all the security mechanisms will work flawlessly. Your car will be authenticated, but it has stuff on it that's bad for the system."

The opposite is also true. Hackers could breach security in infrastructure and work backward into cars. University researchers infiltrated traffic lights in a study conducted last year, and tinkered with signals unabated. In a connected-car world, that sort of hack could be extended into something more nefarious.

Vehicle-to-vehicle and vehicle-to-infrastructure communication systems now being developed by the federal government are supposed to keep drivers safer by relaying information on traffic and road conditions ahead. But they rely on information being accurate. If misleading information is injected into the system, the consequences for drivers could be severe.

Scale Of Attack Depends On Range Of Connection

The size of an ensuing catastrophe is correlated with the range of the connection.

Bluetooth connections have a reach of 25 yards. Wireless connections have a reach of 100 feet. But in a world where General Motors and others are introducing 4G LTE connections into cars and many automakers are fixing software glitches with over-the-air updates. These tools are useful, but they broaden the scope of a potential malicious attack.

BMW used over-the-air updates in recent weeks to implement a fix for security holes in its remote-services system that affected 2.2 million cars. If a hacker could piggy-back on such an update, a fleet-wide attack could be generated. Black-hats are close.

"I think they have the pieces," Sonalker said. "If you follow the last several years, they've demonstrated successful hacks into cars, health-care devices, pacemakers, TVs, everything. So the pieces are there, and the internet of things is not going away. It's here."