As high-tech features like adaptive cruise control, automatic braking and automatic parallel parking systems make cars smarter, it's also making them more vulnerable to hackers — a risk that an automotive security researcher says carmakers appear to be ignoring.

"There's no culture of security," said Chris Valasek, director of vehicle security research at the computer security consulting firm IOActive, in a keynote speech at the SecTor IT security conference in Toronto this week.

That's a concern, he said, because of the potential damage that can be caused by a remotely hijacked car.

"Unlike regular PCs, if your car is breached, there’s a chance for physical loss and not just financial loss," he said. "Smashing your car into a pole or braking and starting a traffic jam are things that aren't easily fixed."

Chris Valasek

'Right now, security seems like an afterthought' for car manufacturers, says Chris Valasek, director of vehicle security research at the IT security consulting firm IOActive. (Emily Chung/CBC)

In recent years, security researchers at the University of Washington showed they could hack a car and start it either via the systems used for emissions testing or remotely using things like Bluetooth wireless connectivity or cellular radio to start the car.

Others showed they could hack a car remotely via a cellular-based car alarm system to unlock the doors and start the engine.

Valasek himself and his research partner Charlie Miller, a security engineer at Twitter, have been starting to experiment with remote attacks after demonstrating that a laptop inside the car can be used to disable brakes and power steering and confuse GPS and speedometers.

He said that while there have been no attacks on the public so far, he expects that to change as the growing popularity of high-tech features in cars drastically increases the number of potential targets available to would-be car hackers.

"Technology is driving auto sales," he said, pointing out that GM commercials in the U.S. tout their cars' Wi-Fi capabilities.

On Thursday, Ford announced new technology available starting 2015 that will detect pedestrians using radar and camera technology and automatically apply the brakes.

Already, automatic braking systems and adaptive cruise control that speed up or slow down the car in response to the vehicle in front of you are installed in "way more cars than you think," Valasek said in an interview following his talk.

He suggests that it's not too early for national leaders and others who might face targeted attacks to think about the security risks of their car's technological features.

"The average consumer doesn't have much to worry about, but …  as these become more and more ubiquitous within all vehicles, we do potentially see public attacks."

Insecure technology built into cars, required by law

In his talk, Valasek showed how the design of in-car networks makes them vulnerable to hacking. The communication between software and braking and steering systems is designed so that if the system receives a message that it understands, telling it to apply the brakes, for example, it will comply.

"It doesn't ask where it came from and doesn't ask who sent it."

Researchers have shown that such messages can be sent via other systems in the car that don't directly control the car, such as its Bluetooth connections, remote keyless entry or infotainment systems. Those could, in turn, be used to indirectly hijack the car's control systems.

The challenge is that the insecure messaging systems found in cars are generally standardized and required by law for purposes such as emissions testing, Valasek said.


Chris Valasek and his research partner Charlie Miller, a security engineer at Twitter, have been starting to experiment with remote attacks after previously demonstrating that a laptop inside a car can be used to disable brakes and power steering and confuse GPS and speedometers. (YouTube)

Meanwhile, he added, car manufacturers generally say little about what they are doing to mitigate the risks of systems like that.

As far as he knows, they haven't developed any means to detect attacks.

Toyota has said it protects its cars with a firewall, but Valasek said similar simple solutions have proven ineffective at protecting PCs.

He's also concerned that car manufacturers lack a system for distributing security patches or upgrades to cars, other than sending customers a letter by mail and asking them to drive to a shop for service. He suggested that asking customers to do that "after a 10-hour work day and picking up the kids and walking the dog" isn't going to work.

Valasek likened car manufacturers to throwbacks from a previous era in information technology who haven't learned from the past mistakes of software makers.

"Right now," he said, "security seems like an afterthought." Part of that may be simply a lack of transparency and a reluctance of carmakers to talk about security, he acknowledged.

Canadian cybersecurity expert disagrees

John Proctor, vice-president of global cybersecurity at the Canadian IT consulting firm CGI, disagrees.

"The car companies are actually paying quite a bit of attention to security," he told CBC News.

His company works with Volvo as a "certificates authority" to ensure that people and devices communicating with Volvo vehicles have the right credentials do so — for example, that when they bring their car to the dealer to install a software patch, that it is an authorized computer that talks to the car.

He suggested that car companies have done risk analysis and are designing their vehicles accordingly.

"It comes down to: How secure do they need to be?" 

Proctor suggested the risk is low, given that car hacking demonstrations to date have typically been done "under very, very controlled, almost laboratory-type environments."

He agreed with Valasek that technology is linked to car sales. 

"Could they [manufacturers] make them absolutely secure?" he asked. "Yes. But then that car will not communicate by Bluetooth, it will not communicate to Wi-Fi, your phone won't connect to it and people won't buy it."

Proctor said other car companies have recently been reaching out to CGI to request help in setting up communications security for their vehicles, something he acknowledged is not easy to do.

"To get one of our guys up to speed to do this takes six months."

Valasek himself thinks carmakers' attitudes could be changing. He noted that in September, GM appointed its first cybersecurity chief.

In the meantime, he said, car buyers shouldn't worry too much before choosing a car with automatic braking or other collision avoidance systems.

"The odds of these things saving your ass as opposed to being used against you in an attack are two separate ends. These things will definitely make you safer, not less safe."