Every computer, including those in modern automobiles, is vulnerable to malware. And every Internet connection, including those involving modern automobile computers, is hackable. Therefore, if you can remotely control a computerized device such as your car with your tablet or smartphone, a hacker potentially can do the same.
The hypothetical danger of hackers hijacking highway drivers has been known for as long as vehicles have been outfitted with wireless connections, but especially over the past year those hypotheticals have too-often become real.
Nearly all cars on the market are hackable
Last August, when security researchers Charlie Miller and Chris Valasek attended that year's Black Hat USA convention in Las Vegas, they presented the results of a study listing the most and least hackable automobiles currently available on the U.S. market.
The following February, the Senate's Commerce, Science and Transportation Committee released a report showing that “Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.”
Last week, Miller and Valasek made headlines again when they demonstrated their discovery of a software flaw affecting up to half a million late-model Fiat/Chrysler vehicles in America (and the company recalled a total of 1.4 million vehicles over it a few days later).
Specifically, Miller and Valasek showed that any hacker who knows a vehicle's IP address could seize control of it from anywhere in the U.S. — or at least, anywhere in the U.S. with a reliable cell phone signal. As proof, they remotely hijacked a Jeep Cherokee driven by a willing reporter for Wired, and cut the transmission and other controls while the reporter drove on a nearby Interstate.
Just yesterday, another security researcher named Samy Kamkar posted an online video demonstrating how easily he could remotely take control of General Motors' OnStar systems by using a device he calls OwnStar (get it?) to exploit a flaw in OnStar's mobile app, thereby unlocking the cars and starting their engines.
Granted, that's far less severe than the previous week's Fiat/Chrysler security flaw: although OwnStar let Kamkar start a vehicle's engine, he still couldn't drive it anywhere without the key - and the engines will shut down 10 minutes after starting if the vehicle hasn't moved. Still, it doesn't take too much imagination to picture reasons it's bad for a hacker to be able to secretly track a vehicle's location and unlock its doors at will.
Kamkar intends to demonstrate OwnStar next week at the DefCon security conference in Las Vegas.
The good news is that after Kamkar posted the video yesterday, General Motors responded by promptly issuing an automatic fix requiring no action from OnStar drivers. The bad news, as Kamkar soon discovered, is that the fix doesn't work to completely solve the problem and patch the vulnerability.
As of press time, the security problem still exists and is still hackable, and General Motors is working to solve it.