Robert Barrett and Jack Dunham hack cars for a living.
In their garage on the Fremont campus of Underwriters Laboratories, they probe for weaknesses that criminals might exploit to tamper with or take control of today’s Web-connected cars.
It’s not an academic pursuit.
Hackers years ago demonstrated an ability to commandeer, remotely, a vehicle’s transmission and steering, although the known cases have not been random, broad-based attacks but instead were aimed at specific vulnerabilities in specific cars.
Automakers, keen to market their latest creations as computers on wheels, take the threat seriously. They’ve turned to Barrett, Dunham and Underwriters Laboratories to do what the lab has done for more than a century: figure out how their products might fail.
While Barrett and Dunham say there’s no need to go buy a 1972 Pinto, they also recommend caution before plugging new devices into your car. This interview has been edited for length and clarity.
Q: So how cybersecure are modern cars?
Dunham: They are safer than the sensationalist hacks you see in the headlines would leave you to believe. For the most part, people are not going to be subject to attacks. The way hackers are constantly probing the Internet for computers not protected by firewalls — that isn’t happening in cars yet.
Barrett: What we’re trying to do is validate that the car is safe and will be safe in the future. We see the vehicle far before it gets to the public.
Q: What are the paths that hackers use to break into cars?
Dunham: There are lots. One is wireless attacks whereby a bad guy, a hacker, can leverage wireless connections, sending data to an interface that is malformed in some way. Or you might have an after-market dongle that’s designed to help you improve your fuel economy, and if you send it a text message, you might even be able to write new firmware to it. A lot of times, these devices don’t have great security in terms of letting their firmware be modified.
Q: Can hackers get in through a car’s infotainment services linked to the Internet?
Dunham: The Wired article on hacking a Jeep? They got in through the infotainment unit. That unit was just a general-purpose computer. That general-purpose computer happened to be attached to a CAN bus (a system that lets vehicle systems communicate with each other) that was attached to brakes and steering.
Barrett: If you’re using an app on your cell phone that can open garage doors, or a companion app for vehicles that will remote-start your car or unlock your doors for you, it turns out that with very inexpensive gear you can get on Amazon, someone can actually get access to your password. So if the bad-guy hacker were sitting in front of your house, he would be able to ascertain your password.
Dunham: They can open the trunk or the doors of the vehicle — if you’ve gained access, you can do that.
Barrett: I don’t want someone going and stealing things out of my car. That may not make the headlines like taking control of the steering wheel, but I don’t want it.
Read more of the original article at SF Chronicle.