hacker attack/photo: simonok

As cars become more connected to the outside world, risks of malicious attacks will increase

As automotive IT connects cars to the outside world, the likelihood of electronic attacks on vehicles is set to increase, experts say.

Already US scientists at the Universities of California and Washington earlier this year managed to electronically hijack a car, using wireless LAN and the car’s diagnostics interface to gain access to onboard electronics.

The researchers, targeting the many electronic control units (ECUs) that every modern vehicle uses, were able to trigger the car’s braking system, turn off the engine and manipulate instruments to provide false readings.

Cyberspace attacks are a problem for business and private IT users everywhere. And they may migrate to the auto industry. As auto electronics open up to data exchanges with partners that may not always be fully reliable, vehicles are more at risk.

“The attacks on smartphones as we know them now are increasing in complexity and breadth,” said Hartmut Kaiser, product manager at German security services provider Secunet Security Networks. “The threat to vehicles will rise in line with how networked they are.”

The auto industry, which has been extremely restrictive in allowing outside access to all in-car electronics, denies that hacking scenarios such as the one played out in the US could become reality. “Our vehicles are secure,” is the standard answer to questions about electronic vulnerability.

But academics and scientists aren’t so sure.

“As cars increasingly connect to other cars or to the infrastructure around them, security issues related to electronic systems will become more of an issue,” said Juergen Becker, a professor at the Karlsruhe Institute of Technology.

Researchers, working closely with the car industry, have been intensifying their analyses of automotive security issues. One project called SEVECOM (Secure Vehicle Communication) looked at ways to fend off malicious attacks on cars initiated through vehicle-to-vehicle or vehicle-to-infrastructure communication routes. Daimler took part in the project, which was concluded in 2008.

Another project, called EVITA (E-Safety Vehicle Intrusion Protected Applications) runs until 2011 and includes premium-car maker BMW, as well as several automotive suppliers and makers of semiconductors.

A third German project, called SEIS (Security in Embedded Systems), aims to build a secure communications middleware for vehicles based on Internet Protocol.

Though there is no disagreement that the networked car faces new and greater security risks, most experts say the threats can be managed ”“ for now.

Wolfgang Broy, a professor at Munich Technical University, says the US hacking experiment could be applied to European cars as well. But he feels that the simulated US attack was only possible because the car’s electronics infrastructure didn’t adhere to security specifications.

The US team of scientists that conducted the hacking experiment also said it would be very difficult for malicious attackers to replicate it.

And the Karlsruhe experts don’t believe such an attack is possible at the moment with the current state of technology.

Experts feel that automakers are keen to listen to the IT industry, where data security and integrity has been an issue for many years. “Automotive technology can definitely learn from IT,” said Juergen Spaenkuch, director business development for platform security at Munich-based chipmaker Infineon. “For example, a variation on Trusted Computing, using a security chip, is imaginable in the car too.”

The IT industry has a big toolkit available to help car companies deal with data security, industry. Said Secunet’s Kaiser: “Like pieces of Lego, many security components are available to complete the blueprint.”

-By Christoph Hammerschmidt