We hate to sound like a broken record, but it bears repeating: Automotive hacking is no longer just a scary concept – it’s become a reality. We’re starting to see real-world examples of criminals taking advantage of cars’ vulnerabilities to break into their computer systems. Just as importantly, researchers and experts are proving that many vehicles are now more susceptible than ever before to cyberattacks.
The most recent example of this unfortunate trend is also one of the scariest. As a “60 Minutes” report highlighted, the Department of Defense’s Defense Advanced Research Project Agency – better known as DARPA – demonstrated that it could hack General Motors’ OnStar system, gaining nearly complete control of a Chevrolet Impala as a result.
If car manufacturers don’t take steps now to address these types of issues, it won’t just be researchers who are digitally hijacking vehicles – it’ll be actual criminals. Automotive companies need to invest in static code analysis and other, related software solutions that can identify and correct potential code vulnerabilities early on, before they become serious safety threats in the real world.
“DARPA’s focus on automotive cybersecurity is proof of how serious this issue has become.”
An eye-opening demonstration
The “60 Minutes” report highlighted the efforts of DARPA, an agency dedicated to developing and testing technology to improve national security in the United States. It’s fair to say that the simple fact that DARPA has now turned its attention to the realm of automotive cybersecurity is proof of how serious this issue has become in the past few years.
And with good reason. As the report revealed, the head of DARPA’s Information Innovation Office, Dan Kaufman, demonstrated how his team of engineers could dial into a Chevy Impala’s OnStar system and transmit a data packet containing malicious code. This code reprogrammed the ECU, giving the DARPA team control of many of the car’s operations. In some cases, this control was fairly harmless – for instance, the researchers were able to activate the windshield wipers and honk the horn.
More importantly, the DARPA engineers were also able to gain complete control of the throttle and brakes. In the “60 Minutes” video, the reporter driving the car was helpless to prevent the vehicle from crashing into a row of cones.
The threat is real
We hardly need to note that the real-world implications of this type of automotive takeover are horrifying. In the past, we’ve talked about how automotive cyberattacks could compromise drivers’ privacy, as hackers could access car microphones and audio systems. Additionally, we’ve already seen criminal cases cropping up – most notably in Montreal in December, when the CBC reported on a string of car break-ins without signs of forced entry that led many to suspect hackers were responsible.
But DARPA’s demonstration brings the importance of automotive cybersecurity to a whole new level. With the takeover of a car’s steering and brakes, this becomes a top-level safety issue. And as the “60 Minutes” report made clear, the technology needed to hack a vehicle in this way isn’t on the distant horizon – it is available here and now.
Furthermore, this particular hacking tactic is not necessarily limited to one make and model. It’s very possible, even likely, that other vehicles are equally susceptible.
“For the first time, car systems are becoming externally accessible.”
This problem isn’t going to go away. Virtually every automotive manufacturer is increasing the interconnectedness of its car systems, making them more convenient while adding capabilities. Consumers want to be able to control their dashboards with their iPhones, play music on their car speakers via their Android phones and so on, and car makers are responding. This means that, for the first time, car systems are becoming externally accessible.
That’s why vulnerabilities have become such a huge problem. In the past, software flaws could cause functionality problems and embarrassment for car manufacturers. Now, they create opportunities that hackers and other cybercriminals can take advantage of, putting drivers and passengers at serious risk.
It’s therefore essential for car companies to catch these flaws early on, before they are actually released. And that’s where Klocwork enters the picture. Klocwork’s static code analysis identifies potential coding problems in real time as developers write code for new applications. Klocwork then goes further, explaining the vulnerability and offering alternative suggestions. This allows developers to continue to focus on features and hit their deadlines without compromising security.
Automotive hacking is real, but it can be thwarted with the right tools and right strategy.