By Jim Finkle
BOSTON (Reuters) - A team of top hackers working for Intel Corp's security division toil away in a West Coast garage searching for electronic bugs that could make automobiles vulnerable to lethal computer viruses.
Intel's McAfee unit, which is best known for software that fights PC viruses, is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car.
It's scary business. Security experts say that automakers have so far failed to adequately protect these systems, leaving them vulnerable to hacks by attackers looking to steal cars, eavesdrop on conversations, or even harm passengers by causing vehicles to crash.
"You can definitely kill people," said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, a non-profit organization that helps companies analyze the potential for targeted computer attacks on their networks and products.
To date there have been no reports of violent attacks on automobiles using a computer virus, according to SAE International, an association of more than 128,000 technical professionals working in the aerospace and the auto industries.
Yet, Ford spokesman Alan Hall said his company had tasked its security engineers with making its Sync in-vehicle communications and entertainment system as resistant as possible to attack.
"Ford is taking the threat very seriously and investing in security solutions that are built into the product from the outset," he said.
And a group of U.S. computer scientists shook the industry in 2010 with a landmark study that showed viruses could damage cars when they were moving at high speeds. Their tests were done at a decommissioned airport.
SAE International charged a committee of more than 40 industry experts with advising manufacturers on preventing, detecting and mitigating cyber attacks.
"Any cyber security breach carries certain risk," said Jack Pokrzywa, SAE's manager of ground vehicle standards. "SAE Vehicle Electrical System Security Committee is working hard to develop specifications which will reduce that risk in the vehicle area."
The group of U.S. computer scientists from California and Washington state issued a second report last year that identified ways in which computer worms and Trojans could be delivered to automobiles -- via onboard diagnostics systems, wireless connections and even tainted CDs played on radios systems.
They did not say which company manufactured the cars they examined, but did say they believed the issues affected the entire industry, noting that many automakers use common suppliers and development processes.
The three big U.S. automakers declined to say if they knew of any instances in which their vehicles had been attacked with malicious software or if they had recalled cars to fix security vulnerabilities.
Toyota Motor Corp, the world's biggest automaker, said it was not aware of any hacking incidents on its cars.
"They're basically designed to change coding constantly. I won't say it's impossible to hack, but it's pretty close," said Toyota spokesman John Hanson.
Officials with Hyundai Motor Co, Nissan Motor Co and Volkswagen AG said they could not immediately comment on the issue.
A spokesman for Honda Motor Co said that the Japanese automaker was studying the security of on-vehicle computer systems, but declined to discuss those efforts.
A spokesman for the U.S. Department of Homeland Security declined to comment when asked how seriously the agency considers the risk that hackers could launch attacks on vehicles or say whether DHS had learned of any such incidents.
The department helps businesses in the manufacturing and transportation industries secure the technology inside their products and investigates reports of vulnerabilities that could allow attacks.
Bruce Snell, a McAfee executive who oversees his company's research on car security at the Beaverton, Oregon garage, said automakers are fairly concerned about the potential cyber attacks because of the frightening repercussions.
"If your laptop crashes you'll have a bad day, but if your car crashes that could be life threatening," he said. "I don't think people need to panic now. But the future is really scary."
A McAfee spokeswoman said that among those hackers working on pulling apart cars was Barnaby Jack, a well-known researcher who has previously figured out ways that criminals could force ATMs to spit out cash (http://bit.ly/bqwEbS) and cause medical pumps to release lethal doses of insulin ( http://reut.rs/sCD4Pr). Makers of those products responded by saying they would work to improve security.
COMPUTERS ON WHEELS
White hats are increasingly looking beyond PCs and data centers for security vulnerabilities that have plagued the computer industry for decades and focusing on products like cars, medical devices and electricity meters that run on tiny computers embedded in those products.
Automobiles are already considered "computers on wheels" by security experts. Vehicles are filled with dozens of tiny computers known as electronic control units, or ECUs, that require tens of millions of lines of computer code to manage interconnected systems including engines, brakes and navigation as well as lighting, ventilation and entertainment.
Cars also use the same wireless technologies that power cell phones and Bluetooth headsets, which makes them vulnerable to remote attacks that are widely known to criminal hackers.
"There is tons of opportunity for attack on car systems," said Stuart McClure, an expert on automobile security who recently stepped down as worldwide chief technology officer of McAfee to start his own firm.
Security analysts fear that criminals, terrorists and spies are gradually turning their attention to embedded computers, many of which can be attacked using some of the same techniques as regular computers.
Automakers are rushing to make it easy to plug portable computers and phones to vehicles and connect them to the Internet, but in many cases they are also exposing critical systems that run their vehicles to potential attackers because those networks are all linked within the car.
"The manufacturers, like those of any other hardware products, are implementing features and technology just because they can and don't fully understand the potential risks of doing so," said Joe Grand, an electrical engineer and independent hardware security expert.
Grand estimates that the average auto maker is about 20 years behind software companies in understanding how to prevent cyber attacks.
Chrysler said it was addressing security issues with industry groups and outside organizations including Battelle Corp, a non-profit company that recently established an auto security research center in Columbia, Maryland known as CAVE, or the Center for Advanced Vehicle Environments.
CAVE, which declined to discuss its research on auto security, has hired hacking expert Tiffany Strauchs Rad, a professor at the University of Southern Maine. Last year, she was part of a team that identified flaws in prison networks which could enable hackers to remotely open or lock cell doors.
Concerns about such possibilities emerged after a group of computer scientists from the University of California and the University of Washington published two landmark research papers that showed computer viruses can infect cars and cause them to crash, potentially harming passengers.
The group chose a fairly banal name, the Center for Automotive Embedded Systems Security. Yet their work is as imaginative as that of Q, the fictional scientist who supplies weapons to British secret agent James Bond.
They figured out how to attack vehicles by putting viruses onto compact discs. When unknowing victims try to listen to the CD, it infects the car radio, then makes its way across the network to more critical systems.
For instance, they came up with a combination attack dubbed "Self Destruct". It starts when a 60-second timer pops up on a car's digital dashboard and starts counting down. When it reaches zero the virus can simultaneously shut off the car's lights, lock its doors, kill the engine and release or slam on the brakes.
In addition to designing viruses to harm passengers in infected vehicles, the academics were able to remotely eavesdrop on conversations inside cars, a technique that could be of use to corporate and government spies.
The research group disbanded after publishing two technical papers, in May 2010 and August 2011, that describe multiple types of attacks and ways to infect cars using Bluetooth systems, wireless networks as well as the car's OnBoard Diagnostics port, which is also known as an OBD-II port. (http://bit.ly/oao8a8)
One issue of concern is fighting ordinary PC viruses that could potentially infect cars when laptops and other devices are plugged into infotainment systems.
"Viruses are something that needs to be addressed directly. How we guard against that transfer to our system is a primary focus of our efforts," said Toyota spokesman John Hanson.
(Additional reporting by Bernie Woodall in Detroit; Editing by Leslie Gevirtz)
Also on HuffPost:
Google's Self-Driving Car
Google has transformed <a href="http://www.huffingtonpost.com/2011/03/03/google-self-driving-car-demo_n_831175.html" target="_hplink">ordinary Toyota Priuses</a> into hands-free vehicles, each equipped with a rotating camera, sensors and more. <a href="http://www.huffingtonpost.com/2011/03/03/google-self-driving-car-demo_n_831175.html" target="_hplink">According to the AP</a>, the four-wheeled fleet "can steer, stop and start without a human driver." These so-called self-driving cars handle themselves so well that one has even been used to take a blind man for a joy ride (<a href="http://www.huffingtonpost.com/2012/03/29/google-self-driving-car-blind-man-taco-bell_n_1387930.html" target="_hplink">see video above</a>).
Terrafugia Transition - Flying Car
With its "Transition" car, Terrafugia proves that <a href="http://www.huffingtonpost.com/2010/06/30/terrafugia-transition-fly_n_630578.html#s108243" target="_hplink">the future is finally here</a>. The operator of this amazing vehicle can drive it <em>and</em> fly it. The Transition has already been approved by the Federal Aviation Administration to fly in the skies and <a href="http://www.huffingtonpost.com/2011/07/09/terrafugia-transition-flying-car_n_893402.html#s305568" target="_hplink">by the National Highway Traffic Safety Administration to drive on roads</a>. If you happen to have a driver's license, pilot license, and <a href="http://www.huffingtonpost.com/2012/04/03/terrafugia-transition-test-flight_n_1399267.html" target="_hplink">$279,000</a>, this car might be the one for you. The Transition was slated for consumer release in late 2011, but that date has been delayed and no new date has been announced.
Moller M200G Hover Car
If you happen to be a fan of "The Jetsons," you're going to love this. For about $125,000, you can get your hands on your very own M200G Hover-Car, thanks to Moller International, <a href="http://gizmodo.com/280546/moller-m200g-hover+car-in-production-and-selling-for-125k" target="_hplink">reported Gizmodo way back in 2007</a>. While the M200G is pretty cool to look at (even if the photo is a little retro), a sleek flying car called the <a href="http://moller.com/index.php?option=com_content&view=article&id=50&Itemid=58" target="_hplink">M400 Skycar</a> may be the company's next project (though so far there's been no word on how it's coming along.)
This futuristic-looking "supercar," the <a href="http://www.tramontanagroup.com/car/car.php" target="_hplink">Tramontana R</a>, is a product of European auto-maker <a href="http://www.tramontanagroup.com/adtramontana/adtramontana.php" target="_hplink">a.d. Tramontana</a> and <a href="http://www.tramontanagroup.com/adtramontana/adtramontana.php" target="_hplink">features</a> a carbon fiber body, a max speed of more than 200 mph, and a V12 engine that produces a maximum horsepower of 720. Unfortunately, all of these awesome specs (and the fact that it looks almost as cool as the Batmobile) have landed the car with a ridiculous price tag. <a href="http://www.forbes.com/2009/04/24/car-cool-model-lifestyle-vehicles-car-cool_slide_10.html?thisSpeed=undefined" target="_hplink">According to Forbes</a>, it costs upwards of $511,126, and only 12 are released each year.
BMW ConnectedDrive Connect
BMW's <a href="http://www.huffingtonpost.com/2012/01/26/bmw-self-driving-car_n_1234362.html" target="_hplink">ConnectedDrive Connect system</a> can be installed in current BMW models and allows the car to drive itself. While at the moment the system operates only on pre-mapped roads, further developments will allow the car to adapt and drive on any street.
Audi's 2012 "super-luxury" vehicle is hailed as a standout in its class. <a href="http://usnews.rankingsandreviews.com/cars-trucks/Audi_A8/" target="_hplink">Writes U.S. News</a>, <blockquote>Test drivers say the A8's cabin is exceptionally crafted, and the standard MMI infotainment system now features Google Earth views on its navigation screen and available Wi-Fi connectivity, thanks to a SIM card in the A8's dash. Reviewers like the design and features inside the A8, but note that it packs less cargo space than many competing luxury sedans. Passenger space, on the other hand is ample. </blockquote> If it's anything like its predecessor, the Audi A7, which our own Jason Gilbert called a "<a href="http://www.huffingtonpost.com/2011/07/16/2012-audi-a7-features_n_900788.html#s310151&title=Head_Up_Windshield" target="_hplink">tech-lover's dream</a>," the A8 is sure to win over drivers who have $75,704 to $130,192 laying around.
SARTRE And Volvo's Road Train
In partnership with the Safe Road Trains for the Environment (SARTRE) program, Volvo is testing the "<a href="http://www.huffingtonpost.com/2011/01/22/sartre-road-train-platoon-car_n_811632.html#s227279" target="_hplink">road train</a>" system, in which a lead vehicle pilots a column of cars down highways. The head car controls the others via Wi-Fi, allowing the drivers to sit back, relax, and enjoy the ride. <a href="http://www.autoblog.com/2012/01/24/sartre-autonomous-road-train-enters-final-phase-with-trio-of-vol/" target="_hplink">According to Autoblog</a>, the system is entering its final phase of testing and should be able to accomodate six vehicles by the year's end. No firm release date has been set.
Similar to the Terrafugia Transition, the PAL-V (or Personal Air and Land Vehicle) was <a href="http://www.huffingtonpost.com/2012/04/02/flying-car-unveiled-in-ho_n_1397882.html?1333399106" target="_hplink">developed in Holland </a> and can reach speeds of up to 110 mph. Watch the video above to learn more!
Flying Hybrid Car
Pretty soon there will be a <em>hybrid</em> flying car on the market, too. While this Burt Rutan model has yet to be approved for regular use on the road, it is fueled by both electric motors and gasoline engines, so, whether driving or flying, you're traveling a little greener than the rest. [Via <a href="http://www.wired.com/autopia/2011/07/burt-rutan-designs-hybrid-flying-car/" target="_hplink">Wired</a>]
<a href="http://www.huffingtonpost.com/2011/10/19/new-delorean-electric-version_n_1019222.html" target="_hplink">In October of last year</a>, the DeLorean Motor Company, makers behind the iconic DMC-12, used as the time machine in <em>Back to the Future</em>, announced an all-electric model for, well, the future. <a href="http://delorean.com/content/news/electric/dmcevpr.pdf" target="_hplink">According to a press release</a>, the company paired up with Epic Electric Vehicles to bring this well-known car back to life and plans to market it in the States in 2013.
Mitsubishi's i-MiEV is a cleaner alternative to city driving. <a href="http://i.mitsubishicars.com/miev/features" target="_hplink">According to Mitsubishi's website</a>, the i-MiEV features a lithium-ion battery system along with its motor and other engine components, a seating capacity of four, and a max speed of about 80 miles per hour. This super-green vehicle <a href="http://www.mitsubishi-motors.com/special/ev/4innovations/index.html" target="_hplink">recently clinched the top spot</a> on the American Council for an Energy-Efficient Economy's (ACEEE) 14th annual Greenest Cars List for 2012.