Hacking cars: What can consumers do to stay safe?
Modern cars are increasingly built for online connectivity, but experts say security is lax
Brian Bourne "half-jokes" he hasn't learned anything new about computer security in 20 years.
Instead, the noted security expert and co-founder of the SecTor conference says he just repeats what has been true of electronic security since, at least, the mid 1990s.
In fact, Bourne says, today's modern cars — which include any number of gadgets that can be accessed over the internet or cellphone networks — can be just as susceptible to hackers and malware as a desktop computer was in 1995.
"History repeats itself," Bourne told CBC News. "Every time new technology emerges, there's a general rush to get out something cool, something to get consumers excited.
"But security tends to be the last thing [manufacturers] spend money on."
On Friday, Fiat Chrysler announced a voluntary recall of 1.4 million cars and trucks, which includes Dodge, Jeep and Ram vehicles, due to concerns they are vulnerable to hacking. (This does not include any Canadian Chrysler vehicles.)
This comes after an article published in Wired this week, in which two well-meaning U.S. hackers demonstrated how to hack into a Jeep Cherokee's most critical systems — and kill the engine, for example, while the car's on a busy highway.
Concerns about cars have been percolating among e-security experts for a few years now, as automakers rushed to keep cars abreast of the demands of increasingly connected, tech-happy consumers.
Some of the latest models offer internet connections via cellphone networks, among other features.
There are a lot of remote ways to attack a car.- Computer security expert Brian Bourne
Bourne says he was pleased to hear about the Jeep Cherokee hack, which was demonstrated on a willing participant, because it puts pressure on automakers to pay more attention to electronic security, which in a car represents a very real risk to life and limb.
Research "clearly shows that security between the various systems in a vehicle all communicate rather openly without security firewalls or sender verification," Bourne said.
"This is substantially similar to an internet-connected PC in 1995."
"Car companies have to take the threat very seriously," he added. "There are a lot of remote ways to attack a car."
Manufacturer Fiat Chrysler said it had issued a fix for the most serious vulnerability involved in the Jeep hack.
The company said in a statement that, like smartphones and tablets, "vehicle software can require updates for improved security protection."
Attacks getting easier
Such attacks are difficult to pull off, but won't be for long, according to Mohamed Amin, a computer science graduate student at Carleton University.
"Hackers are very, very creative people," said Amin, and vulnerabilities become easier to exploit once they're discovered.
Amin also fears that automakers will not take e-security seriously unless consumers push for it.
"The onus is on the consumer," he said. "They need to be aware of these issues. That's the only way."
Consumer Yanet Cavero shares some of these concerns. Though she hadn't heard about what hackers did to that Jeep Cherokee on Route 40 in St. Louis, she said she has become increasingly concerned about the inter-connections among devices big and small.
"I believe in technology. I use technology. But I'm not 100 per cent sure everything we're adding or changing is beneficial for everybody," said Cavero, who works as a risk analyst for a bank.
She said concerns about e-security would probably lead her to look for an older model if she were in the market for a car.
"I wouldn't chose something completely computerized. I would probably go with something more old-fashioned," she said.
Automatic updates
One of the keys to security, as many computer users have learned the hard way, is keeping up to date. Anti-virus software, as well as browsers and apps must have the latest data from their manufacturers to ward off malicious attacks.
Many of those updates now happen automatically. The same will need to be true of cars, says Bourne. It's not enough to post an update on a website, which motorists must then download and install on their vehicles.
If the updates don't install themselves "through the air," as he puts it, the next best option is to keep cars disconnected.
If not, what are the chances, he wonders aloud, that someone like his aged parents would know or remember to update their car's firmware?
Presumably pretty slim.