Every year, our cars inch closer to becoming rolling smartphones, and while we revel in the opportunity to link our devices, communicate with our circles, and update our preferences on the fly, the windows of opportunity for hackers grow with each advancement.
To showcase the vulnerabilities of the connected car, two security experts in Missouri recently took control of a Jeep Cherokee as it drove down the highway. You’ve heard of hackers commandeering door locks and sound systems before, but Chris Valasek and Charlie Miller were able to hijack the vehicle’s Unconnect infotainment system and manipulate the brakes, engine, and transmission with a couple laptops in a living room.
The Uconnect experiment wasn’t the first time a car has been hacked, and it certainly won’t be the last, but perhaps more stringent regulations can cut down on incidents like these in the future.
The Security and Privacy in Your Car Act (SPY Car Act), a Senate bill recently proposed by Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.), hopes to do just that, and we reached out to industry experts to get their take.
One authority we spoke to was Mahbubul Alam, the chief technology officer for Movimento Group. Movimento specializes in over-the-air software updates and connected cars, and the company’s latest offering can update any OBDII vehicle’s operating system wirelessly once the client has been installed. For Alam, keeping hackers out is all about redundancy.
“Security is a constant rate race,” he said. “You just have to be ahead of those hackers, that’s the race, and it’s a lifelong race.”
“Since [Movimento] can update all the ECUs, we are also monitoring those ECUs,” he continued. “The way that the ECUs work in a nutshell, there is an operational mode and there is a programming mode. If someone is trying to set the ECU into programming mode, and it is not authorized by the Movimento client or the cloud manager, we will block it and report it back. The car will continue to operate there will not be any change. We can do that within 10 milliseconds, and the ECU typically takes longer than that [to react].”
While companies like Movimento pride themselves on their safeguarding abilities, it appears that mainstream automakers have fallen behind, as the technologies and talents of hackers have zeroed in on the weaknesses of the modern connected car. Legislators and pundits around the world are echoing Markey and Blumenthal’s concerns, but few are closer to the issue than the men who sent the Jeep Cherokee helplessly rolling to a stop.
“We feel that as cars become more connected, software security becomes more important,” Valasek and Miller said in a statement. “In addition to robust, well-tested software, technology for monitoring, logging, detecting, and possibly stopping attacks should also be implemented.”