Earlier this year, Russian antivirus firm Kaspersky Labs ignited a firestorm of discussion in technical circles (and caught the attention of a few mainstream publications) when it reported that it was investigating whether the Cabir virus could infect the onboard computer system of a Lexus. Toyota (parent firm of Lexus) resolutely denied such an infection was possible. Antivirus firm F-Secure later submitted a Prius, which uses the same onboard system as the Lexus, to intensive testing and scrutiny and was unable to crash the system.

Nevertheless, many security experts postulated the time had come to consider the potential vulnerabilities of onboard computer devices. Could a virus or a hacker invade an onboard automotive system? If so, what sort of damage could it do? In this article, we’ll take a look at those questions.

Operating Issues

Car manufacturers have used computer chips in automobile sensors and other components for years. However, only recently have automakers begun installing telematics solutions (computerized navigational, diagnostics, and communications systems) that have the ability to communicate with the outside world. Many of these vehicles are also equipped with GPS (global positioning system devices, which can track the location of a car or provide directions) and Bluetooth (a wireless data exchange technology that is a target of virus makers).

At the present time, telematics solutions fall into two categories: proprietary (developed by and unique to the particular automotive manufacturer) and Windows-based. (Linux-based systems are available as add-ons, but they are not widely used yet.) Can either of these systems be hacked or infected with a virus? According to the automakers, the answer is a resounding, “No way.” Some antivirus and security experts, however, say “the possibility exists.”

Proprietary Power

Keith Yaden, communications manager for OnStar (the most widely recognized telematics provider, whose systems are installed in Acura, General Motors, Volkswagen, and other vehicles), says that the entire point of OnStar is “safety, security, and peace of mind.” As such, he notes, it is mission critical that its systems withstand intrusion. OnStar does not offer Internet connectivity (a prime channel for intruders). Additionally, Yaden says, “We [incorporate] safeguards during product development, as well as into operation and service delivery.

“When OnStar is connected to the vehicle, it has a secure cellular connection that is authorized and authenticated by an OnStar server for phone calls out of or into the vehicle,” Yaden says. When we asked if an intruder could crack the OnStar server and steal information or control cars from that point, Yaden responded, “We work with our service providers and vendors to design and deploy secure systems. We subject them to regular internal and external audits to monitor them for any potential vulnerabilities so corrective action can be taken.” (Yaden could not disclose any specifics.) Other automakers with proprietary solutions frequently echo Yaden’s comments, saying they take every possible precaution to ensure their systems are safe and secure.

According to Mikko Hypponen, chief research officer at F-Secure, even proprietary systems with Internet or Bluetooth connections are most likely safe. Because these systems are developed privately and independently, Hypponen says, a virus writer or cracker would have to spend thousands of dollars and a considerable amount of time “purposefully working to develop a tailor-made threat against that particular car.”

Crackers and virus writers generally adopt the lowest common denominator approach—deciding where they can do the least amount of work with the most resulting gain. Because PCs and mobile phones are far easier to crack and infect, Hypponen says these are more likely targets.

In the F-Secure tests on the Toyota Prius, researchers tried to infect the vehicle via Bluetooth with several variants of Cabir and also attempted all other known types of Bluetooth attacks. According to F-Secure researcher Jarno Niemela, “No matter what we did, the car did not react to the Bluetooth traffic at all. We managed to find one minor issue with the system (a corrupted phone name would freeze the onboard display), but otherwise the Prius Bluetooth system was far more stable than our test phones and PCs. We had to reboot our test systems several times, as their Bluetooth systems died on us, while Toyota Prius’ just kept going.”

An Open Window?

Windows Automotive, the Windows CE-based OS that BMW, Fiat, Mitsubishi, and others use as a component of their solutions, has garnered some nice kudos in the telematics marketplace since its introduction in 1998. Last year, the Telematics Update Awards named Microsoft's Connected Car technology, which runs on a Windows Automotive platform, “the industry’s best end-to-end solution.”

Nevertheless, a security document published on the MSDN (Microsoft Developer Network) Web site warns developers of several security vulnerabilities. These include Web browser issues that will enable a user to “unknowingly download malicious code to the device,” and concerns that networked Windows Automotive devices could be “vulnerable to tampering and misuse.” Microsoft also warns against using ActiveX controls with the Safe For Scripting option enabled.

In the report, Microsoft underscores that manufacturers can avoid potential problems by installing proper security measures and implementing network protocols safely and securely. Car manufacturers that incorporate Windows Automotive in their solutions assert they have done just that, incorporating stringent firewalls and other protections in their solutions. To date there have been no reports of malicious intrusion involving Windows Automotive.

However, Hypponen suggests Windows-based systems are inherently more vulnerable than proprietary ones. “As the most common platform on the earth, and the most popular target for virus makers, Windows has a much wider audience that can attack it. Some of the services Windows [CE] Embedded runs by default, and that have Internet connectivity by default, are the same ones that run on your [Windows-based] computer.

“We have already seen instances of hacking in $1 million logging tractors. These tractors run Windows XP and use GPS for tracking and GPRS (general packet radio service, a mobile data service) to connect to the Internet. These machines are in the middle of nowhere taking down trees, reporting where they are, what they are doing. Then a worm randomly going through the Internet finds a tractor and it stops running. It won’t take down trees, it won’t do anything.” (Hypponen says F-Secure resolved the issue by installing antivirus and firewall devices on the tractor.)

“Similar embedded worms have attacked all sorts of devices,” Hypponen continues. In particular, he points to the news reports in 2004 that several Windows-based hospital networks became infected with MS-Blaster and Sasser worms originating from medical devices with embedded OSes. “Cars running Windows and with immediate [Internet] connectivity,” Hypponen asserts, “become a target for these worms. We might end up with the same scenarios we had with these tractors or these hospitals, where someone could hack into them and the user would be infected—or at least affected—by them.”

Injecting a note of objectivity to balance these alarming assertions, Hypponen also says about Windows Automotive, “We haven’t played with any cars running the [Windows Automotive] system. However, I know you can shut down the system at any time and [the car] will not crash.”

A Safer Future?

At present, it is much more likely that irritants for drivers with onboard computerized systems will be external factors. For example, systems dependent on cellular connections could be disrupted. Yaden says OnStar experienced service outages during the East Coast power failure of 2003, and security experts say it is possible for a hacker to shut down a cellular base station temporarily, disrupting service for everyone within a certain area.

Additionally, unexpected system failures might cause grief. Niemela says that when battery power dropped below a certain threshold during F-Secure’s tests on the Prius, “The onboard computer displayed a severe warning and the car went totally dead. Even the door locks didn’t open anymore.” In 2003, the Bangkok Post reported that Thailand’s Finance Minister, Suchart Jaovisidha, was trapped in his BMW 520 for 10 minutes after the car’s Windows-Automotive-based iDrive system crashed.

However, experts warn that automakers must not relax their diligence, as the future of telematics security is still unclear. In their detailed report, "Security in Automotive Bus Systems," researchers Marko Wolf, André Weimerskirch, and Christof Paar noted, “[Some] automotive communication networks have access to crucial components of the vehicle, like brakes, airbags, and the engine control. Cars that are equipped with driving aid systems allow deep interventions in the driving behavior of the vehicle . . . . Malicious attackers are not to be underestimated.”

by Jennifer Farwell