As of yet there are no known cases of cars being hacked, but hackers on behalf of the US military recently proved that it is indeed possible. In response to this news, Jacques Louw, Senior Information Security Consultant at MWR InfoSecurity has provided the following commentary:
“With regards to the attacks that have been previously demonstrated, especially those that targeted the CAN bus I think the risk has been greatly exaggerated. The risk of an attacker with direct access to the vehicles CAN bus disabling the brakes is similar to that of an attacker cutting break lines, there is nothing surprising or unexpected about this being possible. The danger comes in when this access can be attained remotely. This type of remote access requires an entry point other that the vehicles physical diagnostics port. Cars with, for example, media centres that are attached to the internet do not pose much risk to vehicle safety unless the media systems are connected either directly or indirectly to the vehicle's management networks. As security has not been a prime objective for vehicle manufacturers in the past these systems have been tightly integrated, leading to a situation where the security of an in-car media player can affect the car's brakes.
In the same way that oil and gas manufacturers isolate high risk SCADA systems from general employee networks, car manufacturers should concentrate efforts on isolating core vehicle networks from any systems that expose remotely connectible networks (such as internet or Bluetooth connections). Organisations like Auto-ISAC are certainly useful in raising awareness about potential threats to vehicles, but manufacturers also need to start managing this risk by performing in-depth security reviews and testing of these systems. Banks contract security firms to perform regular security tests (known as penetration tests) of high risk systems such as their on-line banking systems, and most cars manufacturers are not yet performing these kinds of assessments against vehicle systems as part of their new vehicle development process.”