Security News White Papers

Kill Switch – Connected Cars can be Killing Machines and their Prevention

Connected Cars
While self-driving cars have received lots of attention, the auto industry is quietly installing components that carry similar risks into ordinary consumer automobiles. 17 million new cars are deployed on American roads each year in which the mechanisms that control movement—accelerating, steering, and braking—can be overridden by computers and software.

This computerization has been accompanied by a growing trend of connecting cars to wide-area communications networks—making them part of the Internet of Things (IoT). 

This is a dangerous combination, as it creates the potential for hackers to take control of vehicles remotely.  Unlike other “connected” technologies in which hackers can only steal information or money, hacked cars have the potential to cause property damage and deaths. 

 

A hacker with only modest resources could launch a massive attack against our automotive infrastructure, potentially causing thousands of fatalities and disrupting our most critical form of transportation.

 

Main Findings of the Investigation below:

 

The top ten car brands in the U.S., accounting for 95% of car sales, all sell Internet-connected cars. The three top-selling carmakers in the U.S., GM, Toyota, and Ford, representing nearly half the U.S. auto market, will only sell Internet-connected cars by the end of this year. 

  • Safety-critical systems are being linked to the Internet without adequate security.

 

  • Experts agree that connecting safety-critical components to the Internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the Internet. 

 

  • By 2022, about two-thirds of new cars on American roads will have online connections to the cars’ safety-critical system, putting them at risk of deadly hacks. 

 

  • Car makers, investors and shareholders are aware of the dangers of connected cars and their vulnerability to hacking.

 

  • Expert hackers report that time and money are the only things that stand between them and hacking a fleet of cars.

 

  • Connected cars have suffered more than half a dozen high-profile hacks in recent years. All have been benign demonstrations, not intended to cause harm. 

  • The car industry’s response when vulnerabilities are exposed is to patch individual security holes and ignore the design problems that underlie them

  • In connected cars, viruses can spread vehicle-to-vehicle. Malicious WIFI hotspots can infect any susceptible vehicle that passes within range.   

  • Security-critical components in cars are black boxes. Even the car makers themselves often do not know the origins of the software they use, nor their true risks. 

  • Vehicles from many major car makers—including Tesla, Audi, Hyundai, and Mercedes— rely heavily on software written by third parties.  This includes open source software, like Android, Linux, and FreeRTOS. For example, FreeRTOS, used in critical systems by Tesla, had major vulnerabilities discovered in October 2018, but Tesla never acknowledged using the software, the vulnerability, or whether it patched the problem.

  • To protect the public, carmakers should install 50-cent “kill switches” in every vehicle, allowing consumers to physically disconnect their cars from the Internet and other wide area networks. 

  • To protect the public, carmakers should install 50-cent “kill switches” in every vehicle, allowing consumers to physically disconnect their cars from the Internet and other widearea networks. Otherwise, if a 9/11-like cyber-attack on our cars were to occur, recovery would be difficult because there is currently no way to disconnect our cars quickly and safely. Mandatory “kill switches” would solve that problem. 
  • kill switch

Read the full report on ConsumerWatchDog: https://consumerwatchdog.org/sites/default/files/2019-07/KILL%20SWITCH%20%207-29-19_0.pdf

Leave a Comment

Your email address will not be published.

You may also like