It isn't worth it right now for criminals to hack cars

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsider.com/it-isnt-worth-it-right-now-for-criminals-to-hack-cars-2015-2

People have expressed concerns about cars and hackers since motherboards
first appeared in dashboards.

Some critics of those computing systems have made measured and valid
points, while others shrieking doom and gloom have clearly been sporting
tinfoil hats.

Still others have seemed poised to profit from increased demand for
security software.

To date, our take on the matter has been that hacking isn't a real issue
for most vehicle owners -- at least not yet.

As we saw a couple of years ago, taking control of a car's computer is a
very complicated, clumsy process, requiring significant technical know-how,
not to mention access to the target vehicle's interior. Before someone
hijacks your steering system, you'll probably notice them in your backseat,
with a laptop plugged into your dashboard.

OBSTACLES TO HACKING

The problem -- or rather, the problem for hackers -- is that our cars
aren't fully networked. The much-discussed but still-elusive system of
vehicle-to-vehicle communication, which promises to slash the number of
auto accidents in America, has yet to be implemented on any meaningful
scale. As a result, our cars still operate as large, clunky islands unto
themselves -- islands full of software, but software that doesn't expose
the "guts" of our cars' control centers to bad guys and gals.

Complicating matters for hackers is the fact that the operating software
used by automakers is proprietary and varied. So, the code found on a Fort
Taurus isn't the same as that found on a Fiat 500. For folks interested in
creating chaos, that makes the payoff much more limited. Unlike a Windows
bug that can infect huge swaths of laptops, a bug installed on a Toyota
will have limited range -- very limited if the Toyota doesn't "talk" to
other vehicles.

That said, this scenario is changing. Where once we had to take our cars to
dealerships for software tweaks, some of us are now getting over-the-air
updates. Every time we do that, our car is connecting to a network, and
every time we join a network, there's an opportunity for hackers to drop in
a virus.

IMMEDIATE CONCERNS

The day when ne'er-do-wells can take over an accelerator from the other
side of the globe is still fairly far off. In the near future, though,
there are two areas of real concern for motorists:

PRIVACY: A couple of years ago, we told you about the Nissan Leaf and how
early iterations of the models' onboard software tracked owners' driving
and travel habits. While Nissan ultimately addressed the problem, similar
issues are popping up all the time -- with the automakers' permission.

For example, General Motors' OnStar recently launched something called
AtYourService, which tells OnStar subscribers about nearby shopping deals,
hotel discounts, and more. For AtYourService to work, OnStar obviously
needs to know where drivers are, what their interests are, and so on. One
good data breach -- like the kind we've seen at banks, major retailers, and
other businesses in recent years -- and your personal details could end up
in the hands of some very unsavory people.

SMARTPHONE APPS: Our cars' control centers may not be connected to massive
networks, but we can still interact with our vehicles in limited ways via
our smartphones. Many, many models now have apps that offer remote
starting, remote unlocking, and other features, which bad folks can exploit
to enter vehicles and, if not steal them, at least make off with the
packages left in the backseat. (A similar kind of vulnerability was
identified in BMW, MINI, and Rolls-Royce cars just a couple of weeks ago.)

OUR TAKE

The threat of hacked cars isn't a real concern to most drivers these days.
Criminals love a big payoff, and at the moment, the payoff from hacking
vehicles is simply too small.

But make no mistake: the day is coming when our vehicles will be fully
networked. They'll be talking to each other, to traffic lights, to charging
stations, to sensors embedded roadways -- everything. By all accounts, this
will be hugely beneficial for drivers, reducing the number of traffic
fatalities and allowing vehicles to function autonomously. It will also
make hacking cars a far more lucrative endeavor.

The goal now is to ensure that these auto networks can't be exploited to
harm vehicles or their passengers. The National Highway Traffic Safety
Administration is already working on plans to keep connected cars safe. But
studies suggests that automakers themselves should share information,
develop standards, and collaborate on solving problems like these before
it's too late.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!