It’s recently been revealed that Nissan’s small electric car, the Leaf, is vulnerable to computer hackers. Not very vulnerable perhaps, but a prankster only needs the VIN number of the car (displayed clearly through the windscreen on most vehicles) to call up your vehicle and monkey with its climate control, using nothing more than a web browser. They can also access information about recent journeys.
Having your heating or air-conditioning switched on while the car is parked up doesn’t sound like much of a problem, but these are electric cars: their range is limited at the best of times, and the last thing you need is somebody running down your battery for laughs.
It was only a couple of weeks ago that a supermarket cashier was cheerfully telling me that his Leaf could be programmed so that it’s nice and warm when his shift finishes. It made me think, wow… maybe these electric cars are beginning to carve out a niche for themselves. Having the vehicle warmed up and ready to go is a nice little gimmick that my humble diesel could never manage.
It’s around a hundred years since cars first acquired circuitry. Before that, you had to make to with hot tube ignition, and later a magneto – both dependent upon enthusiastic work with a starting handle. Then along came the 1912 model Cadillac, with its electric starter. Everything changed once cars had a supply of electric current: in addition to keeping a battery topped up, electricity offered practical lights, a horn, an electric means of ignition and so on, through to electric headrest adjustment and all the bells and whistles of a modern car.
Inevitably, the economics of providing electrical (and later electronic) systems in a car improved. Electronic control systems proved to be simpler, cheaper and more reliable than their mechanical predecessors. Cars acquired systems for emissions control, and anti-lock braking – later mandated by law – and if you’re going to have all that computing power in a vehicle, it’s logical to let it work like a computer. Cars acquired diagnostic sockets that allowed a mechanic to investigate faults (and which locked drivers into paying top dollar for servicing at manufacturer-approved centres, for a time). But then, if you’ve got communications gear such as a cellular antenna and a global positioning system on-board, why not integrate it all? That allows the car manufacturer to ‘mine’ your data, and learn things such as how their vehicle performs, and how customers use it. It’s a bit of an invasion of privacy, but it’s a fabulous way to turn all your customers into unpaid test drivers. We have to assume that drivers’ data is regularly being mined today, at some level of abstraction.
And if you can receive data from cars, maybe it’s a good idea to be able to send data to cars, as well. Updates to the navigation system require such a capability… but it could also be handy to be able to patch a hypothetical fault in your firmware without the usual formal recall for work at an approved service centre (and all the bad press that this entails).
It’s amazing to think that all this capability comes about for free, piggybacked onto other functions that a modern car needs. Computing really has improved to the point where it’s more expensive to leave functionality out. (There’s also the question of designers mistakenly leaving in a ‘back door’ as a result of using off-the-shelf components or code segments that have other applications…)
As Nissan have found out, sooner or later, somebody figures out how to hack your system. In their case, it was security researchers Scott Helme and Troy Hunt. Hunt is said to have informed Nissan of the vulnerability, but after a month with no news of a fix he went public with a demonstration in which a Nissan Leaf in the UK was accessed from Australia.
It doesn’t exactly presage armageddon, but we can expect this kind of thing to become increasingly common as machines get ‘smarter’. Nissan aren’t software developers or security specialists: they just wanted to make a competitive car with some neat features, such as allowing drivers to ensure their car is at a comfortable temperature with a smartphone app… but they messed up. They’re not alone, either: this article reports how a 2015 Jeep Cherokee could be hacked remotely, manipulating the in-car entertainment and windscreen wipers, and even shutting the car down.
More worrying is the tale of security researcher Chris Roberts, who appears to have hacked into airliners while on board as a passenger. He exploited a weakness of the in-flight entertainment systems to interface with critical systems on aircraft such as the Boeing 737-800, 737-900, 757-200 and Airbus A-320, making fifteen to twenty such incursions from 2011 to 2014. Roberts has been interviewed by the FBI, but hasn’t been charged with a crime. It appears he’s not welcome to fly with United Airlines anymore, though.What of the supply chain, and the Internet of increasingly connected things? Lars Jensen, CEO of CyberKeel, found serious vulnerabilities in sixteen out of twenty ocean carriers surveyed. The motive and opportunity exist for theft of data, fraud and perhaps terror attacks.
“No opening is too small,” says Carole Boyle at Strategic Sourceror. Information that would once exist on a physical clipboard is now in cyberspace, and shared widely. Where businesses collaborate, the security is only as good as at its weakest point, while differences of time zone and asynchronous communications may mean that organisations are slow to notice when their security has been breached.
Citing a data breach at US retailer Target, John Mello suggests that the supply network is a particular point of vulnerability for corporations. A supplier’s credentials, normally used in legitimate business-to-business communications, can be used to gain access to much of a network… and the hackers only have to find their way into one supplier’s account to achieve this, while a large corporation will have to audit the security of hundreds of vendors.
Like Nissan, you probably didn’t think you were in the cybersecurity business… but it turns out that we all are, from now on. Next time you install a free game on your smartphone, you might be wise to ponder if it really is a bargain, or if it contains a piece of malware that will snoop on your SMS messages, and perhaps suppress or spoof a two-step verification attempt from a web-based service that you depend upon.