Speaking to TrustedReviews this week, Alexander Moiseev, Kaspersky Europe's Managing Director, has warned that your car is at serious risk of being hacked. He is, however, wrong and I'm going to explain why.

bongosmall.jpg

Kaspersky Lab and Mr Moiseev may well insist that the threats to the automotive industry are very real, and very much here and now; and while I don't dispute that there are concerns I do think there is a very real element of Mandy Rice-Davies Applies about the entire debate. With the demise, albeit a long and drawn out death, of desktop AntiVirus as the golden goose of the IT security industry, it should come as no real surprise when that industry looks for alternative areas to occupy. Transport is one of the much hyped, I would argue over-hyped, areas currently doing the rounds. The more the 'threat' is talked up, the more there will be a demand from consumers for 'protection' and vehicle manufacturers will turn to vendors to supply it.

That is far from my campervan being hackable now, or ever, matter of fact.

In that TrustedReviews interview, Mr Moiseev likens IT security not being involved in the design and development process of cars to having a house with no roof and putting bars on the windows to protect from theft. He argues that we don't have to wait for the autonomous self-driving Google Car for the hacking threat to materialize, and says our cars today are already at risk from, wait for it, parking assist modules and in-car microphones. Talking of the parking assist module he says "I don’t need anything else to drive the car, and this is a piece of software" and goes on to warn "this is accessible, people could change this software." Except people are not accessing it, are not changing the software and are not crashing cars as a result. I imagine we may have heard about it if they were. Unless it's the ultimate in stealth lulz or some kind of James Bond special ops thing in which case, obviously, it would never make the press. As for the microphones, these are dangerous because if you get access to that you get access to what is being spoken about in the car. Mr Moiseev talks about mega VIPs with "tonnes of bodyguards" and who "visits rooms which are completely secured" yet is left exposed by the potentially hacked mic in his car. First, I would imagine the target footprint here is pretty small, anyone who wants to hear the conversations in my car are more than welcome and I am afraid they would be very disappointed at the return on their investment. Even allowing for the fact that there are high profile targets, if their existing security teams were worth diddly then they would already be on top of the in-car situation. If they really need help with dealing with a potentially hacked in-car system, as opposed to a bug planted there, then I'm happy to offer a simple solution for free: disconnect the mic, or cover it with tape. Sorted. Next.

My biggest beef with what Mr Kaspersky Labs has to say is when he states that the real problem right now is that "nobody can tell you for sure that those threats are not active." No, that is no the real problem. I can tell you for sure, 100%, that my van has not been hacked and is totally secure. It has no microphone (unless someone has hacked my smartphone - quite another subject) and the only parking assist I have is from my wife (who I would gladly have hacked if it shut her up and let me get on with the job of parking.) Nope, the real problem is that the automotive security threat continues to get talked up, a classic case of introducing Fear, Uncertainty and Doubt into the market. We need to get rid of the FUD and strip this particular threat vehicle back to the bare metal so we can determine exactly what we are dealing with; then start giving sensible quotes for repair work.

I've said it before and I will say it again: Cyber-criminals are driven by profit. If someone were to develop exploitable code for a vulnerability within an in-car system, that would then be sold back to the manufacturer via blackmail or a bug bounty. I'm all for security vendors and others in the security industry to be involved in making cars safer by design, especially as they become ever increasingly more technically complex. But the FUD fact, the exaggeration factor, the marketing factor - call it what you will - does nobody any favours if you ask me. I'm all; for the likes of BT, for example, launching the Assure Ethical Hacking for Vehicles service which seems to take a more measured view and is designed to test how exposed connected automobiles actually are to cyber-attack and so help manufacturers and security vendors develop solutions to any weak points that are discovered.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

As I've already been asked: it's a Mazda Bongo (yes, really) Japanese import MPV converted into a campervan with kitchen and bed in the back. :)

Anybody hi-hacking cars in the UK is bound to make the roads safer IMO. The number of driver-occupied cars that nearly ran me off the M42 on Friday night was unbelieveable. Don't get me started on Rome. Anyhow - is this just about eavesdropping on your inane ramblings, expletives, and badly sung songs and taking away your ability to judge how close you are to an obstacle as you park? So it also has the ability to make you blind? FFS. OK, perhaps some people really do need PA? Jeez - just stopped myself - read about the twitteRage about the scientist who got sacked from UCL - that was close!

Even worse for Kaspersky: unless they claim that there is some way for a "hacker" can actually interface with your car electronics and computer.
Which, given that cars don't typically have active wifi or bluetooth options (carkits for mobile phones excluded) would mean having physical access to the car's systems.
Which is not a topic for a software manufacturer, but depends on the car having proper physical security devices, also known as locks...

Any hacker who can break into my car, open the hood, has the proper connectors to connect to my car's computers, AND manages to power up those systems (which means starting the car itself) so he can interface with them while they're running is welcome to do so.
He'd make more simply stealing the car and selling it somewhere else anyway, which is a far greater risk and the very reason those locks exist in the first place.

Cars and appliances of the future will sense and transmit information to the manufacturer. This most likely will become a two way information street.

So, if you drive an old clunker, you are safe.

Edited 1 Year Ago by vegaseat

I agree with the 'of the future' bit but disagree with the assertions of parts of the IT Security industry (read: those with a vested interest) that the threat is 'here right now' which it really is not in any meaningful way at all.

There are indeed car systems that can do that, most notoriously the "black boxes" that are being installed in some new cars (and that some jurisdictions and insurance companies want to make mandatory).
Interesting tidbit: we had a discussion some 2 years ago about whether Ford (who were at the time planning to have some car computers call Ford with diagnostics information) could be held legally liable for accidents if those accidents were caused by car systems about which they had received information from that diagnostics package...

But even then you'd not be "hacking" the car, you'd organise a man in the middle attack to intercept and possibly corrupt/modify information sent to or from the car.

I worked in GPS tracking of people and vehicles for a while, it's right now purely a one way street.
Equipment sends data to a central server where it's analysed and filtered for display to operators (e.g. the system I worked on by default only showed alarm signals and error status messages (things like low battery warnings), the location data was stored for display on demand but not shown by default as it'd cause way too much clutter on the operators' screens).
There have been plans to have all cars fitted by law with such systems which would communicate with police computers to allow for the fully automated issuing of speeding ticket. So far those plans have not been implemented, in large part because of privacy concerns (by law the police isn't allowed to track the movements of citizens without a coourt order for each such operation which is only to be issued if suspicion of a crime exists, and the justice department here isn't quite ready yet to admit that they consider every driver to be a criminal by definition).