Connected Cars and Their Various Vulnerabilities

Automobiles have transformed from complete mechanical systems in their earliest form

to complex computer systems that control various mechanical elements. All automotive

companies, whether that be Fiat Chrysler Automotive in the United States or the Daimler

Automotive Group in Europe, are creating new innovative systems to improve the connected

aspects of their car. These aspects might be as simple as a Bluetooth or Navigation system, or as

complex as autonomous vehicle functionality. With new technological innovations, however,

comes a certain level of insecurity and possible danger. Today, with the automotive market

transforming faster than a consumer is able to educate themselves, consumers should be cautious

about purchasing vehicles with these modern computer systems. Research has shown that these

new technologies are open to outside dangers such as hacks or system tampering. Certain

dangers of car connectivity that a consumer should educate themselves about are the

vulnerabilities created by having a car that is connected to a broad internet network, the hacking

potential of intra-vehicular networks, and the openness created by the networks shared by cars

and infrastructure.

Hacking is the unauthorized access to a computer network or system in order to change

certain aspects of that computer system or manipulate its overall function (Techopedia). As it

relates to automobiles, hacking can strive to change a variety of things, including changing how

a cars in-car interface functions or how its many mechanical systems function independently or

together. The intrusion into a vehicles computers can also give a hacker access to ones personal

information, which can range from a name to different locations youve traveled according to the

navigational unit.
 Morin 2

Hacking, whether on purpose or accidental, could be caused by anyone with

programming or hacking knowledge. While not all hacks will be malicious in intent, they could

come from a wide range of sources. David Fagnant, who has done research on the problems

created by the advancement of technology and how it relates to modern automobiles, stated that

computer hackers, disgruntled employees, terrorist organizations, or hostile nations all have the

ability to gain access to an individual car or a fleet of automobiles and possibly cause collisions

or other traffic disruptions (Fagnant). This means that anyone with a computer and a grudge can

harm those who oppose them, whether that be an infamous terrorist organization targeting a

nation with views different than their own, or an employee who was recently fired pursuing an

attack on her former boss or fellow employees. The process of hacking, through the history of

computing technology, has become easier to figure out for anyone, meaning that everybody is

vulnerable to the possibility of a hack into their automobile.

Jonathan Petit was able to demonstrate other ways that cars become vulnerable because

of their increased connectivity. Petit, with just forty-three dollars and a laser pointer, was able to

confuse and defeat an autonomous automobiles light detecting and ranging system (LIDAR)

cameras (Muoio). These sensors function to detect its surroundings and properly guide a car

down a roadway while staying between the yellow lines. The cameras, such as the very common

back-up camera systems on cars, function to give drivers a visual of areas around that are not

otherwise clearly visible to them. Through his research, Petit was able to demonstrate that

modern vehicles are easy to manipulate, and that the malicious perpetrator does not need to be an

expert in his field or having a large monetary background to gain control of new cars.

To better introduce the insecurity that comes with modern automobiles, look at the

research done by Charlie Miller and Chris Valasek. These two programming experts wanted to
 Morin 3

prove how simple it was to gain control of a cars computers without being in its immediate

proximity. So, from a remote location, they gained access to a Jeep Cherokee and took control of

some of the technological and mechanical systems in the car (Greenberg). The systems they took

over included the radio, the windshield wipers, and the braking system, which they demonstrated

by bringing the Jeep to a complete stop on a busy interstate. They were able to do this because of

the transition by automakers from pure mechanical systems to drive-by-wire systems, which

serve the same purpose as their predecessors, but instead of containing physical and mechanical

connections, work together through the intricacies of computers and programming.

With drive-by-wire systems, consumers should be concerned about the safety of

connected and autonomous vehicles. Miller and Valasek, through their research with the Jeep

Cherokee, also exposed that they were able to bring the car to a complete stop on an interstate

highway, which could cause a much larger chain of events to occur. Upon the conduction of

more research, they were able to determine that with access to the braking system, they could

also disable the breaks all together, which would be devastating in stop-and-go traffic situations.

Vehicles become vulnerable when they are connected to the internet, which can include

the high-end cars that have the mobile Wi-Fi hot spots, as well as cars with basic functionalities

that include navigation or Bluetooth capabilities. Miller and Valasek proved through their testing

that the computers within these cars could be hacked remotely, and then they could laterally gain

access to more mission critical systems, such as the drive-by-wire systems used in a cars ability

to brake, accelerate, and steer (Koscher). This type of connection creates an opportunity for

hackers to take control and steer, accelerate, and brake a car from a remote location (Greenberg).

Having a crucial automotive system connected to a cars computers creates a much more
 Morin 4

dangerous opportunity for hackers, who have the opportunity to create havoc on any passenger

vehicle, or vehicles, currently on the road.

As this connected technology has progressed, cars have become more autonomous,

meaning that there is less input required from a driver as the car relies more and more on

technology and connectivity. The present version of the autonomous vehicle technology consists

of hundreds of sensors around a car as well as cameras pointed in every direction which will

inform a car of its surroundings. However, the technology is projected to progress to a point in

which cars are able to fully communicate with one another in what is known as vehicle-to-

vehicle communication, or V2V. Cars will also have the ability to communicate with

infrastructure in a vehicle-to-infrastructure communication, or V2I. Both of these types of

communication will greatly improve the efficiency of the roadways, reduce traffic, and increase

the safety of drivers and pedestrians (Mahmassani). This type of connectivity creates another

form of vulnerability which reduces the amount of privacy for the driver of a passenger vehicle.

Researcher Jonathan Petit also conducted research on how to intercept these types of

communications (Muoio). Petit set up sniffing stations which were able to pick up signals that

cars were sending each other or sending to infrastructure. These stations could not only interpret

what the signals were, but also locate where they were coming from. One station that was placed

in a highly populated area was able to pick up the location of a security vehicle with seventy-

eight percent accuracy. Today, with personal privacy becoming a hot topic, the ability for anyone

to gain access to personal locations or other private, sensitive information should concern

potential buyers of a modern car.

This information creates privacy concerns for the public because drivers wont know who

has access to their location or private information. Currently, privacy rules have not been created
 Morin 5

to protect the operators of a connected vehicle, but a consumer should be able to ask themselves

some questions. A consumer, before buying a car with connected abilities, should ask about who

will have access to the data created by their car, how said data will be made available, and how

the data will be used (Fagnant 14-15). For example, if a government agency such as the National

Highway Traffic Safety Administration is accessing information to improve the safety and

efficiency of the roadways, then that might be a privacy breach that could be overlooked by a

consumer. However, if the government agency is the Central Intelligence Agency or the Federal

Bureau of Investigation and their primary intent is to spy on private citizens, then the consumer

should seriously consider whether or not the purchase is worth it.

The potential dangers created by connected vehicles as well as the lack of privacy that

comes with any type of connectivity makes the purchase of a modern automobile a risky

endeavor. Through the history of automobiles, the biggest risk associated with driving were those

created their operators, humans. Now, with the removal of the biggest flaw of the car, bigger

concerns have risen to the surface and present problems which have not yet been addressed by

the departments and organizations whose primary purpose is to protect consumers from said

dangers. With this new technology rolling off the assembly line direct to consumers through

companies like Tesla and Uber, the government has not had time to create new regulations or

deal with the ethical issues of autonomous and connected vehicles.

Consumers, who should be educated before making any purchase, should not invest in a

product that has not yet been tested or regulated by an overarching board, which in this case is a

government association such as the National Highway Traffic Safety Administration (NHTSA)

or the United States Department of Transportation. Today, according to the website of the

Department of Transportation, the only regulations that have been created deal with how to
 Morin 6

properly test vehicles, which proves they are behind in the regulation of the connected portions

of vehicles. The NHTSA currently takes new cars through a cyber security laboratory where they

test how vulnerable or closed a cars computer systems are before they become available to the

mass-market (NHTSA). Seeing as some testing is currently completed in regards to the network

security of an automobile is a sign that the administrations tasked with roadway safety are taking

the correct strides to keep passengers safe in all circumstances.

While no new regulations have been created as a result of the evolving automotive

market, solutions have been proposed that would better help consumers. Mohamed Amin and

Zaid Tariq suggested that cars be produced with an intrusion detection system, which would

function exactly as it is named, and detect and inform the passengers of the vehicle when it has

been compromised (Amin & Tariq). They also suggested multipurpose electronic control units

that would have the ability to govern all network traffic. With these two proposed solutions, the

automotive industry begins to move in the right direction to protecting passengers. The industry

has a long way to go before I would ever consider buying a car with these modern advantages

and conveniences. While the rate of car accidents has decreased with the help of autonomous

abilities and driver assist systems, the vulnerabilities created by connecting the cars to a large

internet network create the risk for more accidents, but this time not at the fault of the driver.

As the automotive market continues to evolve, new concerns have arisen about personal

safety. Safety in this context, however, doesnt bring into account physical safety or how many

airbags a car has, but rather how closed-off a car is from a wider network of connected vehicles.

Different researchers have found a way to invade a cars systems and trick and manipulate these

systems to do what they want. Not only is a consumers safety at risk, but also their privacy.

Researchers Miller and Valasek took physical control of a car while Jonathan Petit took private
 Morin 7

location information by accessing an intra-vehicular network. Automotive manufacturers have a

long way to go in the development of these highly connected vehicles, and consumers should be

aware of the many setbacks that come with the ownership.

Works Cited

Amin, Mohamed, and Zaid Tariq. Securing the Car: How Intrusive Manufacturer-Supplier

Approaches Can Reduce Cybersecurity Vulnerabilities. Technology Innovation

Management Review, Jan. 2015.

Fagnant, Daniel J., and Kara Kockelman. Preparing a Nation for Autonomous Vehicles:

Opportunities, Barriers and Policy Recommendations. Transportation Research Part A:

 Morin 8

Policy and Practice, vol. 77, July 2013, pp. 1415.

Koscher, Karl, et al. Experimental Security Analysis of a Modern Automobile. 2010 IEEE

Symposium on Security and Privacy, 2010.

Mahmassani, Hani S. "50th Anniversary Invited Articleautonomous Vehicles and Connected

Vehicle Systems: Flow and Operations Considerations." Transportation Science, vol. 50,

no. 4, 2016, pp. 1140-1162, http://uncc.worldcat.org/oclc/6854283062.

Muoio, Danielle. Self-Driving cars are prone to hacks - and automakers are barely talking about

it. Business Insider, 15 Dec. 2016.

National Highway Traffic Safety Administration. Vehicle Research & Testing. NHTSA, 14

Dec. 2016, www.nhtsa.gov/research-data/vehicle-research-testing. Accessed 28 Mar.

2017.

Petit, Jonathan, and Steven E. Shladover. Potential Cyberattacks on Automated Vehicles. IEEE

Transactions on Intelligent Transportation Systems, Sept. 2014, pp. 111.

Techopedia. What Is Hacking? - Definition from Techopedia. Techopedia.com,

www.techopedia.com/definition/26361/hacking. Accessed 30 Mar. 2017.