In-car audio systems present a danger to us all. And no, that's not because boy racers insist on driving around with them blaring out at 120 decibels but because they present a new route for hackers to seize control of vehicles.
According to a team of researchers from the NCC Group, cyber-criminals can seize control of cars' engines and brakes by using digital audio broadcasting (DAB) radio signals. According to Andy Davis, research director of the NCC Group, there's no need for any specialist ki to carry out an attack, “The equipment is reasonably cheap - around £500 to £600 – and the software I used was freely available open source. It's an attack that could easily be carried out by someone with a background in RF,” he said.
However, Mark James, security specialist at IT security firm ESET said such attacks were very specialised, “Most malware we see currently is mass delivered to infect as many computers as possible, when it comes down to money it's all about quantity not necessarily about quality. It definitely needs to be monitored and dealt with for public safety's sake. With that being said, there will be criminals out there that will see this as an opportunity to achieve a goal and will take an interest in this type of threat.”
There have been concerns about the safety of cars for some time now: a feeling intensified after researchers Chris Valasek and Charlie Miller took control of a Chrysler Jeep through a mobile phone signal. An attack of such concern that Chrysler has been forced to withdraw 1.4 million Jeeps that are vulnerable to such attacks.
But Davis said that it wasn't about a particular auto manufacturer or a particular method of attack. “This is not about one vulnerability but a whole range of different vulnerabilities,” he said, pointing out the level of complexity that DAB offers, “As opposed to analogue, it's a technology that massively increases the amount of data you can send: more complicated text; you can send images, websites, even video.” It's this complexity that causes the problems.
And, he said, there was no intention to single out any individual manufacturers.” We haven't done significant market analysis about the vendors. This is to help them make vehicles more secure,” he added.
Such is the concern about the safety of wireless in cars that two US senators, Edward Markey and Richard Blumenthal, have introduced a new bill to ensure more stringent security standards in motor vehicles. Davis said such a move would be welcomed by the vendors. “The car manufacturers have been asking for cyber-security standards for some time – they want a way to take an engineering approach to design their cars in a secure way,” he said.
The problem with standards is they take some time to mature, he added. “What we're calling for is an approach to security - ASDL (automotive secure development lifecycle) – that will link all the processes together so they start thinking of security right from the design process.”
ESET's James agreed. “The car manufactures will be taking these threats very seriously, so many cars these days are incorporating the infotainment system and they, as much as us, will want these systems secure and safe for public use. We will see many patches and fixes in the coming weeks to get these systems locked down as these features can be a major part of choosing the right vehicle when parting with our hard earned money these days.”