In the coming age of autonomous cars, connected cars, and cars that can communicate with each other, the city’s infrastructure, our phones, and the entire internet of things, data security is going to be paramount. That’s why Craig Smith, who has spent 20 years working in banking and healthcare digital security, wrote The Car Hacker’s Handbook: A Guide for the Penetration Tester. Which is just as intimidating as it sounds.
Smith first published a version of the book in 2014 as a companion to a one-day class on car hacking. He offered it for free online, and it was downloaded 300,000 times in the first four days. There was a larger interest in this subject than he realized in teaching one-day classes at Virginia Tech and the US Cyber Challenge. And his ISP shut down his website.
When he started the OpenGarages.org online community, Smith figured it would be a bunch of security professionals who showed up. That was not the case. “It was a bunch of mechanics and performance tuners,” he said. “I was the only security person. It was a nice expansion, but it shows there’s a much bigger issue here.” When owners and mechanics are locked out of the data, they’re locked out of how their own cars work in a way people weren’t before vehicles became computers on wheels. And with data being so important to our driving experience, Smith asks, “Who owns the vehicle? After I pay $30,000 or more for a car, do I own it, or does the manufacturer?”
Not that every car owner needs to know how to hack or secure their own vehicle. “The expectation is that the manufacturer has done proper security tests,” Smith said. “But you need some method for third party review.” He brought up that Volkswagen was betting on the fact that no one could check the data in its diesel-powered vehicles during emissions tests. “When you have more independent review, whether it’s a mechanic or the owner, things come to light quicker,” Smith believes.
At nearly 300 pages, The Car Hacker’s Handbook covers a lot of potential security risks, and as autonomous systems become more ubiquitous and sophisticated, there could be even more risks. So is Smith worried about the potential for bad guys to take over our cars? “The car has multiple sensors, and they don’t trust each other always,” Smith said. “The design architecture of sensors is hard to hack; it’s hard to fool senses and sensors. Unless I can get to the core, decision-making piece, I would have to fake out every sensor. You’d think they would be easier to hack, but self-driving cars don’t have a trusted space for data the same way that a corporation that keeps its data behind a firewall would.”
The worst-case scenario for Smith isn’t the remote-driving takeover hack demonstrated last summer. “Unless they’re a sociopath, a hacker doesn’t want to drive the car,” he said. “It’s not that useful. The real value is in stealing data. Information is more valuable than physical damage.”
Does this leave us with the choice of never driving again or reverting to a vintage Model T to keep our data safe? “Being a security guy, I’m pessimistic and extra paranoid,” he said. “There’s been a lot of change in the past five years, but [the automotive industry is] an old industry. We’re ahead of malicious activity, but I don’t know how easy it will be to fix legacy systems.” The pessimistic, paranoid security expert leaves us with this ray of hope: “I don’t think we’re in a bad spot.”