In the early days of PCs, the software was very fragile - from a security point of view. Virus software could easily infiltrate a system and it was common practice to be very careful with the use of media from non-trusted sources. Then, everyone started to be connected to the Internet and the problem became orders of magnitude worse and we all have a justifiable paranoia about the security of our online lives. Now it seems that cars are going the same way …
There has been a lot of discussion in the press recently resulting from the publication of a research paper, which investigated the security of the electronics systems in cars and found them lacking.
Modern cars are stuffed with electronics. Numerous embedded systems which contain upwards of 100Mb of binary code across 50-70 microprocessors, many of which are linked by a series of networks. This is the primary reason why modern vehicles are safer, more reliable, more comfortable and have greater functionality than ever before. Many systems just make us comfortable - I like having climate control, remote-controlled central locking and acoustic reversing sensors. Some things contribute to safety, like sophisticated braking systems. Other things are just enablement - for example, I have a diesel engine, which is very economic, runs smoothly and gallops up a hill like a rhino on speed; this would not be possible without the electronics.
Another alleged benefit of the mass of electronics is ease of servicing and maintenance. Modern cars have a connector - the On-Board Diagnostics [OBD-II] port - which is quite standardized and allows quick and easy access to all the cars systems by service personnel. I am slightly sceptical of the benefit to the consumer after an encounter with a car dealers last week, where I was told: “We connected the computer and it found some faults. It will cost a bit over $1000 to repair.” My suspicion is that said “computer” was linked to their accounting system and was tasked with making up a shortfall. But enough of my insecurities. The researchers, who published the recent paper, used the OBD-II port to infiltrate a car’s systems.
With the benefit of access to this port and, I would imagine, some inside knowledge of the way the software worked, the researchers successfully interfered with some critical systems on test vehicles. In particular, they could disable the brakes or apply them independently of the driver’s action. They also discovered that sending invalid data could affect system functionality in adverse ways.
Should we all be worried about this? I do not think that it is a concern in the short term. The likelihood of unauthorized access to the OBD-II on a car by someone with this kind of expertise is very unlikely. However, longer term, the increasing popularity of wireless connectivity makes this more of a possible source of concern. Hopefully the designers will ensure that the maximum levels of security are applied. However, it was the effect of invalid data that worried me …
This does not stop at cars. They are simply one of the most ubiquitous contexts in which embedded systems are found. What this research highlights is that, with increasing connectivity, any embedded system may be vulnerable to abuse. Designers need to be vigilant and ensure that they are using a networking stack which includes all the latest security features and is fully validated.