When you're driving down the highway, there's nothing scarier than losing control of your vehicle. Hackers may soon make that situation a lot more common. However, instead of this happening because of something in the road, you could lose control because of something in your car's onboard computer.
Cybersecurity researchers Charlie Miller and Chris Valasek proved just how possible this scenario could be when they literally took over a vehicle while it was driving down a highway outside of St. Louis, Missouri. The researchers were demonstrating the existence of a severe vulnerability in the onboard computer of their Jeep Cherokee.
The flaw in the vehicle's computer allowed Miller and Valasek to wirelessly send commands to the steering, transmission, and braking systems as well as more minor things like the air conditioning unit and the radio. It also let them track the vehicle's speed, route, and location, which added a surveillance aspect to the hack.
In a July 2015 article by Wired writer Andy Greenberg, the two experts explained that the hack would work on any Jeep, Chrysler, Fiat or Dodge vehicle with a built-in Uconnect computer system that was manufactured in late 2013, all of 2014, or early 2015. By their estimate, this equaled as many as 471,000 vulnerable vehicles.
The hack works by accessing these vehicles via their connection to the local mobile phone network. With only his laptop and a cheap disposable (burner) phone, Miller was able to home in on possible targets that were located in places across the US. The lack of any real range limitation highlights the massive scope of this hacking technique.
Miller and Valasek contacted Fiat Chrysler Automobiles months before they unveiled the flaw, and the company released a patch for the security hole in July 2015. However, the patch was not sent out wirelessly and can only be deployed at a dealership or through the use of a USB drive. To ensure that vehicles receive the patch, the multinational corporation issued a recall of approximately 1.4 million cars. Fiat Chrysler customers should visit Chrysler's DriveConnect update page to see if their vehicles were recalled.
This was not the first time that Miller and Valasek had broken into a vehicle's computer system. In 2013, they successfully hacked a Ford Escape and a Toyota Prius. At the time, critics were quick to claim that the cybersecurity experts were only able to accomplish this feat by creating a wired connection to the vehicles' onboard computers.
In response to that criticism, Miller and Valasek said that wireless attacks were already a reality, and pointed to research done in 2010 by a group of academics at the University of Washington and the University of California, San Diego. The researchers were able to wirelessly infiltrate the same systems that Miller and Valasek targeted in their 2013 efforts. In Valasek's words, the point of their endeavor wasn't to show that a hacker could get inside a car's system, but rather that they could "do a lot of crazy things once inside."
Nevertheless, the criticism sparked their desire to hack a car wirelessly. Before settling on the Jeep Cherokee as their target, the two experts investigated and rated the cybersecurity measures of 24 vehicles. While the Jeep was determined to be the weakest, other popular brands like the Cadillac Escalade and the Infiniti Q50 were also considered to be remarkably vulnerable to digital threats.
At the moment, there are very few things that people can do to protect their cars from cyberattacks, aside from updating their Fiat Chrysler vehicles with the necessary patches. The lack of options on an individual level doesn't mean that the issue is going unaddressed, since there has been a notable governmental effort in this area. Legislators and national authorities around the world have begun researching ways in which they can mandate better cybersecurity practices in the automotive industry. Standards on the subject aim to govern how car manufacturers defend vehicles from cyberattacks and protect customers' personal information, such as the location records gathered by their GPS-equipped vehicles.
The world's automobile market is rapidly filling up with vehicles that feature more and more digital functionalities. There are even some cars that are entirely computer-controlled, as is the case with driverless vehicles currently being developed by companies like Google, Mercedes-Benz, and General Motors. The increasing use of onboard computers emphasizes the need to improve cybersecurity parameters in vehicles. If this need isn't met, society could soon find itself facing a new generation of hackers capable of taking over cars from thousands of miles away.
Here's a tough truth: Everything is hackable. If technology has wireless features, it's especially hackable. If it's connected to the internet, it's the most hackable. So any car with a key fob, onboard wifi, and a built-in 4G antenna? Very, very hackable - and from thousands of miles away.
Digital security has never been more important than it has been in 2014. Cyber crimes are becoming both more prolific and more devastating.
Most recently, the world learned that Russian hackers had stolen 1.2 billion unique password and user name combinations. Shortly afterward, two US supermarkets announced they too had been hacked. Customers' credit card information was stolen from 180 stores across seven states.
Hackers have also targeted the healthcare industry. Over 200 hospitals across the US suffered from a major security breach. The criminals took 4.5 million patient records by exploiting a flaw in a system made vulnerable by the Heartbleed bug.
Heartbleed shocked the world after news of its existence broke in April 2014. It left millions of websites open to attack. Reuters estimated that the bug cost businesses tens of millions of dollars.
These examples illustrate the increasing scale of cyber criminal attacks. Recent studies confirm that these attacks affect an exponential number of people, with a related surge in the revenue acquired by criminals.
There's no limit to the time and creativity being invested by the latest generation of cyber thieves. This has led to an ever-expanding number of tactics and exploits through which attacks may be executed. As a result, cyber thieves now have more tools at their disposal to help them steal protected information or money online.
Currently, the most newsworthy method is breaching the security of a major corporation or organisation, as was the case in the examples discussed earlier. Unfortunately, there's nothing that the average person can do to protect his or her information from this type of attack.
Hackers also steal their victims' information by strong-arming their way into otherwise secure systems. These brute-force efforts crack passwords by systematically running through every password possibility. Criminals using this attack can narrow down the search using known details about the password or user. They can also speed up the process using dictionaries of common password combinations, like "abc123" or "password."
Another popular hacker trick is phishing. Phishing occurs when hackers pose as trustworthy companies to trick people into giving up their sensitive account information. Typically, the recipient receives an email or instant message urging them to enter their account information on a fake website that looks identical to the real one.
Criminals also use social engineering techniques to trick people into giving up their passwords. They know that people will sometimes accidentally reveal important information to friendly strangers. Similarly, hackers can convince people to give up their passwords by pretending to be legitimate IT specialists hired by the company.
While many of these methods seem crude, they can be very effective.
While it seems little can be done to defend against these attacks, the first and most important step is to revisit password strategies.
In order to properly use passwords, one must understand the concept of password strength. IT professionals evaluate the durability of a password by classifying it in terms of bits. In short, the more bits a password has, the stronger it is.
Passwords with 12 case-sensitive letters have 64-bits which could take a hacker quite some time to crack. However, the use of symbols, numbers, and case-sensitive letters can substantially improve password strength. According to information security expert George Shaffer, an eight-character password of this complexity is unlikely to be cracked for two years.
A single strong password isn't enough protection, though, as it may be leaked to an attacker through social engineering or some other attack. Given the risk, the best strategy is to use a unique strong password for every account.
Password managers offer a convenient solution for the handling of complex passwords. These applications typically provide features for the generation and storage of passwords.
Many password managers also provide automatic password auditing to identify weak or shared passwords. Some even issue alerts in the event that a password is compromised, providing a chance to salvage a compromised account before any damage is done.
There are few downsides to using a password manager. The most notable is the chance of the password database being stolen or compromised. However, many of these databases are stored online in encrypted form, so the benefits tend to outweigh the risks.
Standard authentication, or logging in, relies on a username and password. If an attacker obtains the password associated with a username, they can easily compromise the related account. As its name suggests, multi-factor authentication (MFA) instead relies on multiple pieces of information, providing an added degree of protection.
Typically, MFA requires two pieces of information: something you know and something you have. An example of MFA in everyday life would be authentication for ATM access. In order to access your bank account through an ATM, you need something you know (your PIN) and something you have (your card). Similarly, accessing an MFA-enabled account requires not only a password, but also interaction with something you have, such as a mobile phone or digital fob.
When available, MFA is one of the best available options for protecting an account. Banks and larger IT service providers, like Google and Microsoft, usually offer MFA, but most services do not.