‘Kill switch to avoid connected car fleet to be hijacked’

With the next generation of cars coming out in 2020 all connected to the internet, the ‘horror movie scenario’ of a whole fleet of thousands of the same vehicles being ‘hijacked’ simultaneously by malicious hackers is becoming a real threat. They could take control of steering and braking to create chaos and get people killed.

A ‘kill switch’ to disconnect the car instantly should be mandatory, Los Angeles-based non-profit organization, Consumer Watchdog, says in a new report. Otherwise, a terrorist cyber-attack of the scale of ‘9/11’ with 3.000 deaths or more is one of the daunting possibilities, its president, Jamie Court, states not without some sense for the dramatic.

Twenty whistleblowers

But is it possible? Consumer Watchdog claims it based its report on the findings of some 20 whistleblowers working in the car industry. They are worried about the lack of safety precautions taken by the car manufacturers while trying to beat each other in the race to offer more connected services. Like updating the car’s critical software remotely, for instance.

The findings are bundled in a report called ‘Kill Switch. Why connected cars can be killing machines and how to turn them off,’ which was presented in Los Angeles on Thursday.

First hack in 2011

The first successful hacking of a car already dates from 2011 to the Defcon conference in Las Vegas, where hackers and security experts meet each year.

Researchers of the universities of Washington and California showed it live how they cracked the security system of a Subaru Outback only by its Bluetooth connection. Another car-hack was the Jeep Grand Cherokee of a journalist of the American tech magazine, Wired, being taken over live by a bunch of hackers.

Meanwhile, Consumer Watchdog says, there have been more than half a dozen high-profile hacks in recent years. On the internet, YouTube videos are circulating of successful hacks taking over the steering of a car or hitting hard the brakes of a Tesla without the driver able to intervene.

‘White hat hackers’

Until now, these hacks were all done by ‘white hat hackers,’ working for the ‘good guys,’ as some ‘proof of concept.’ Car manufacturers are paying hackers to report flaws in their software in so-called ‘bug bounty programs.’

But what if someone with evil intentions could break into real driving situations? And not in a single car as a demo, but in a whole fleet of similar vehicles sharing the same software at the same time?

You could even imagine a ‘sleeping’ virus planted in unnoticed become active at a particular signal or a ‘malicious WIFI hotspot’ that can infect any susceptible vehicle that passes within range.’

Access to the car’s CAN-bus

The problem is that most connected vehicles share the same vulnerability, Consumer Watchdog explains its theory. The infotainment system of the vehicle is connected to the internet via a cellular connection, but at the same time to the car’s CAN-bus (Controller Area Netwerk).

“This technology dating from the 1980s links the vehicle’s most critical systems, such as the engine and the brakes. Experts agree that connecting safety-critical components to the Internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the Internet,” the report states.

Testifying unrecognizably

According to the non-profit organization, the ‘whistleblowers’ want to stay anonymous to avoid losing their jobs but appointed a spokesperson to testify unrecognizably on their behalf in a video. Whether that video is genuine is hard to prove, off course.

They warn that using smartphone technology in cars, or open software, like Android (Google), Linux or FreeRTOS, is a real security flaw. Thousands of different authors spread over the world often write this software with little accountability for faults.

Relying on third-party software

Many major carmakers rely on this software by third parties, without often knowing its origin, nor their actual risks, they say. They cite the example of FreeRTOS, used by Tesla in critical systems, in which significant vulnerabilities were discovered in October 2018. But Tesla never admitted using the software or having patched the security holes.

Asked by Belgian IT magazine, DataNews in 2017, Joan Van Loon, Enterprise Leader Automotive at IBM Belgium, acknowledged already there is a real risk. “At this stage, this is an absolute doom scenario.”

“But don’t forget the most important rule in internet security: the more a device is connected, the bigger the risk someone can break in it. Cars have become more and more data centers on wheels, and the data streams and the connection with the outer world need the same authentication and security levels as computers and smartphones.” And they are hacked all the time, aren’t they?

Most straightforward solution

Consumer Watchdog lists a host of measures to safeguard the car driver, but its most straightforward solution is installing a 50 dollar cent ‘kill switch’ in every car. The driver must be able to hit the switch to disconnect the car from the internet instantly, the moment he suspects the vehicle to do things out of his control. If it isn’t too late already?

Les voitures connectées, des “machines à tuer” potentielles, s’inquiète une association américaine