The revelation through Wikileaks that the CIA has explored hacking vehicle computer control systems should concern consumers, particularly as more and more cars and trucks roll off assembly lines with autonomous features.
“I think it’s a legitimate concern considering all of the computers being added to cars,” said Kit Walsh, a staff attorney with the privacy group Electronic Frontier Foundation (EFF). “There’s no reason the CIA or other intelligence agencies or bad actors couldn’t use those vulnerabilities to hurt people.
“The risk is greater is you’re trusting a self-driving vehicle,” Walsh said.
WikiLeaks this week released more than 8,700 documents it claimed came from the CIA’s Center for Cyber Intelligence; some of the leaks indicated the intelligence agency had looked at exploiting security vulnerabilities in smartphones, smart TVs, and vehicle computer systems.
“As of October 2014, the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks,” the Wikileaks post stated. “The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.”
WikiLeaks also linked to meeting notes from 2014 listing “potential mission areas” for the CIA’s Embedded Devices Branch. The notes included references to “Vehicle Systems” and “QNX,” which is Blackberry’s automotive software platform for telematics and in-vehicle infotainment (IVI) systems.
Increasingly, automakers have been adopting QNX. In 2016, for example, Ford announced it was dropping Microsoft as the platform for its SYNC infotainment system and adopting QNX instead. Ford’s new SYNC 3, using QNX, was rolled out in new vehicles last summer.
Automakers have also been enabling over-the-air software updates for vehicles that could allow malicious code to be uploaded to on-board computer systems.
The government’s role is to protect Americans
The role of the U.S. government is to explore security vulnerabilities in order to make product manufacturers aware of potential hazards, not exploit them, Walsh said.
In 2014, the Obama Administration assured Americans that a policy called the Vulnerability Equities Process (VEP) would prevent federal agencies from withholding “major” security vulnerabilities from the companies affected by them—particularly ones that could cause consumers harm. Any security holes that were exploited by security agencies are only supposed to be used in national defense.
“The agencies are supposed to reveal vulnerabilities so companies can fix them and keep Americans safe. This is an example of a huge agency not following those rules and leaving people exposed to vulnerabilities so they can exploit them,” Walsh said. “We’ve seen this before from the U.S. government.”
Last year, a group calling itself the Shadow Brokers released what appeared to be a portion of the National Security Agency’s hacking toolset designed to penetrate network firewalls; it included information about several previously unknown security holes, known as zero-day or 0day vulnerabilities.
According to a Reuters report, the NSA toolset was designed to exploit vulnerabilities in widely used networking products produced by Cisco and Fortinet.
Right now, the decision about whether to retain or disclose a vulnerability is theoretically governed by the VEP, but because the policy isn’t binding on the government, it’s toothless, the EFF said in a blog.
Cryptographer and computer security specialist Bruce Schneier said what’s needed is government regulation.
“This is a huge problem,” he said. “It’s things that affect the world in a direct physical manner and will cause harm to property and life.”
Schneier said he has no doubt the CIA explored zero-day vulnerabilities in order to find ways to spy on citizens and assassinate enemies.
“I think the worst thing about this is it demonstrates—just like the Shadow Brokers did—that the Obama Administration’s assurances that the Vulnerabilities Equities Process prioritizes defense was a lie,” Schneier said.
According to The Washington Post, the purpose of the CIA’s hacking efforts exposed by the Wikileaks posting could not independently verified and the intelligence agency has declined to confirm the activity.
Vehicle cybersecurity has come to the forefront of automakers and legislators after several instances of white-hat hacking showed that vehicles could be remotely hacked and controlled.
A modern car has dozens of computers with as much as 100 million lines of code—and for every 1,000 lines there are as many as 15 bugs that are potential doors for would-be hackers, according to Navigant Research.
As more vehicle models come equipped with cellular, Wi-Fi and Bluetooth connectivity, experts say they have become more vulnerable to hackers who can remotely gain access, either via wireless sniffing devices or over the internet.
By 2020, there will be 250 million wireless “connected” cars on the road, according to Gartner.
For example, in 2015, security experts Charlie Miller and Chris Valasek collaborated with Wired magazine to demonstrate how they could remotely hack into and control the entertainment system and other more vital functions of a Jeep Cherokee.
Both hackers are experienced IT security researchers. Miller is a former NSA hacker and security researcher for Twitter; Valasek is the director of security research at IOActive, a consultancy.
The hacking demonstration resulted in Fiat Chrysler Automobiles (FCA), the world’s seventh-largest automaker, issuing a recall notice for 1.4 million vehicles in order fix a software hole that gave hackers access control over vital functions.
“The flag was two or three years ago when a couple of hackers took over the acceleration and brakes of a car,” Scheier said. “If you weren’t woken up then, how is this going to make a difference?”
Based on past behavior, malicious hackers don’t typically break into computer systems to harm people; the purpose is to exploit the systems for financial gain, Walsh said. So if the CIA were exploring ways to hack into vehicle computer systems, it wouldn’t be for any typical purposes.
“Am I surprised? No,” Walsh said. “The idea that you could use hacking into a car to kill someone is something that’s been floated around—but as far as I know we didn’t have any conformation that someone who would do it was looking into how to do it.”
Schneider isn’t surprised, either.
“What do you think the viability is that 20 years ago they looked into ways to manually severe the brake lines of cars and kill people,” Schneier said. “It’s the CIA. It’s their job, so yes, I’m sure they were. I’d be stunned if they weren’t.”