Cars becoming vulnerable to computer hackers

There have been no reports of physical injury as a result of car hacks, but researchers warn it is a matter of time. Carmakers see infotainment systems, in-car internet access and smartphone connectivity as ways to get a competitive edge.

Hackers see them as embedded systems: mini-computers that lack security software. As such they're access points and loading a virus in to any one of them has been shown to let a malicious user:

• Steal contact details transferred from the phone to the car's hard drive
• Track where the vehicle goes using the GPS in the satellite navigation system
• Take control of any of the car's systems that are computer-assisted.

That includes the engine, brakes and even the steering wheel. Given modern cars are now mobile computing platforms, it's no surprise PC virus-protection companies are getting on board to add their expertise in preventing malicious attacks. McAfee is leading the way and has devoted a research team to address the problem “before it becomes one''.

The company's chief technology officer for the Asia-Pacific region, Michael Sentonas, says the potential exists for hackers to take control of a car. “We’re not seeing attacks in the wild but it has been demonstrated, so the whole idea behind the project is we want to work with other researchers and get ahead of it before it is an issue,'' he said.

“If you think about all the entertainment systems that link in with Bluetooth that link in with vehicle diagnostics ... it needs to be addressed. It's not like your PC having an issue where you go online and get a fix. If it happens in a car you have to go back to the manufacturer. Worst case, you'll have an accident.''

The focus on security follows a report last year by researchers from two US universities that showed it is possible to transfer a virus into a vehicle using wireless signals or a virus-laden MP3 file. Most worryingly was their ability to install a Trojan program by using the Bluetooth functions of a smartphone that had previously been paired to the car.

That then let them remotely “take control'' of everything from the sound system to the vehicle's brakes and engine.  Because the phone was directly communicating with the car's computers, the driver was powerless to over-ride the remote signals. Their report describes network security within modern cars as “rudimentary''.

iSEC consultant Don A. Bailey was similarly successful at last year's Black Hat conference in the US in demonstrating that SMS messages sent from a laptop could remotely open and start a vehicle by over-riding its alarm system. “When we looked at this car's security and control system we determined within the first few hours that it was completely ownable, front to back," Bailey said.

Carmakers contacted by Carsguide declined to discuss the security measures in their vehicles, citing the need for secrecy to minimise exposing potential vulnerabilities. Ford announced in 2010 it was fitting firewalls and virus protection to its infotainment systems and GMs latest cars, including the Holden Volt, uses a process similar to credit card transactions to verify data sent between any of its systems.