Experts hope to shield cars from computer viruses

BOSTON – A team of top hackers working for Intel Corp's security division toil away in a West Coast garage searching for electronic bugs that could make automobiles vulnerable to lethal computer viruses.
Intel's McAfee unit, which is best known for software that fights PC viruses, is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car.
It's scary business. Security experts say that automakers have so far failed to adequately protect these systems, leaving them vulnerable to hacks by attackers looking to steal cars, eavesdrop on conversations, or even harm passengers by causing vehicles to crash.
“You can definitely kill people,” said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, a non-profit organization that helps companies analyze the potential for targeted computer attacks on their networks and products. To date there have been no reports of violent attacks on automobiles using a computer virus, according to SAE International, an association of more than 128,000 technical professionals working in the aerospace and the auto industries.
Yet, Ford spokesman Alan Hall said his company had tasked its security engineers with making its Sync in-vehicle communications and entertainment system as resistant as possible to attack.
“Ford is taking the threat very seriously and investing in security solutions that are built into the product from the outset,” he said.
And a group of U.S. computer scientists shook the industry in 2010 with a landmark study that showed viruses could damage cars when they were moving at high speeds. Their tests were done at a decommissioned airport.
SAE International charged a committee of more than 40 industry experts with advising manufacturers on preventing, detecting and mitigating cyber attacks. “Any cyber security breach carries certain risk,” said Jack Pokrzywa, SAE's manager of ground vehicle standards. “SAE Vehicle Electrical System Security Committee is working hard to develop specifications which will reduce that risk in the vehicle area.”
The group of U.S. computer scientists from California and Washington state issued a second report last year that identified ways in which computer worms and Trojans could be delivered to automobiles -- via onboard diagnostics systems, wireless connections and even tainted CDs played on radios systems.
The three big U.S. automakers declined to say if they knew of any instances in which their vehicles had been attacked with malicious software or if they had recalled cars to fix security vulnerabilities.
Toyota Motor Corp, the world's biggest automaker, said it was not aware of any hacking incidents on its cars. “They're basically designed to change coding constantly. I won't say it's impossible to hack, but it's pretty close,” said Toyota spokesman John Hanson.
Officials with Hyundai Motor Co, Nissan Motor Co and Volkswagen AG said they could not immediately comment on the issue.
A spokesman for Honda Motor Co said that the Japanese automaker was studying the security of on-vehicle computer systems, but declined to discuss those efforts.
A spokesman for the U.S. Department of Homeland Security declined to comment when asked how seriously the agency considers the risk that hackers could launch attacks on vehicles or say whether DHS had learned of any such incidents.
The department helps businesses in the manufacturing and transportation industries secure the technology inside their products and investigates reports of vulnerabilities that could allow attacks.
Bruce Snell, a McAfee executive who oversees his company's research on car security at the Beaverton, Oregon garage, said automakers are fairly concerned about the potential cyber attacks because of the frightening repercussions.
“If your laptop crashes you'll have a bad day, but if your car crashes that could be life threatening,” he said. “I don't think people need to panic now. But the future is really scary.” Automobiles are already considered “computers on wheels” by security experts. Vehicles are filled with dozens of tiny computers known as electronic control units, or ECUs, that require tens of millions of lines of computer code to manage interconnected systems including engines, brakes and navigation as well as lighting, ventilation and entertainment.
Automakers are rushing to make it easy to plug portable computers and phones to vehicles and connect them to the Internet, but in many cases they are also exposing critical systems that run their vehicles to potential attackers because those networks are all linked within the car. “The manufacturers, like those of any other hardware products, are implementing features and technology just because they can and don't fully understand the potential risks of doing so,” said Joe Grand, an electrical engineer and independent hardware security expert. – Reuters