Last fall, Charlie Miller, a 40-year-old security engineer at Twitter, and 31-year-old director of security intelligence at the Seattle-based consultancy IOActive Chris Valasek were awarded an $80,000 grant from the Pentagon’s Defense Advanced Research Projects Agency for the purpose of identifying security vulnerabilities in automobiles.
Their findings will be released at the DEF CON hackers convention which will be held in Las Vegas from August 1 – 4.
As vehicles have become more and more “connected,” the need for security has increased. General Motors Company’s OnStar and Ford Motor Company’s SYNC are just a couple of the cellular and Wi-Fi networked services available on the market, and the Groupe Spéciale Mobile Association (GSMA) industry trade group estimates that such services generate $2.5 billion annually. By 2025, that amount could grow by as much as ten times.
In a recent demonstration for Forbes.com, Miller and Valasek showed some of the potentially dangerous consequences of a security breach. By reverse-engineering the vehicles’ software via the vehicles’ diagnostics ports, the researchers were able to deactivate the power steering, override the speedometers and odometers, and even control the steering of a 2010 Ford Escape and 2010 Toyota Prius. “Imagine,” said Valasek, “you’re driving down a highway at 80. You’re going into the car next to you or into oncoming traffic. That’s going to be bad times.”
Although Ford Motor Company is reportedly taking the research “very seriously,” Toyota has so far dismissed the validity of the research because of the methodology, which involved the use of a connected laptop computer in order to gain control of the vehicles. In an email, Toyota’s safety manager John Hanson said, “Our focus, and that of the entire auto industry, is to prevent hacking from a remote wireless device outside of the vehicle.” He added, “We believe our systems are robust and secure.”
Valasek and Miller contend that the ease of gaining wireless access to vehicles’ onboard networks has already been demonstrated. In 2010, researchers at the University of California at San Diego were able to gain control of the same systems using a smartphone. Furthermore, the possible points of attack are increasing as cars become increasingly automated. “The less the driver is involved, the more potential for failure when bad people are tampering with it,” says Gartner Group auto analyst Thilo Koslowski.