In the United States, it's normal for cars to be connected to each other through data exchange. It's considered safe and practical--until hackers get involved. Today, even police cars aren't safe from outside interference.
From the twelfth floor of the General Motors skyscraper, you have an unobstructed view of Detroit. The cars look like toys from up here; it’s rush hour. But the employees working in the “OnStar Command Center” don’t even need to look out the window in order to know that. A digital map of North America stretches out on the wall in front of them, and next to it there are large screens with traffic reports and the weather report. CNN and Fox News are on in the background.
All of this is a little reminiscent of the NASA Command Center. And such a comparison is by no means an exaggerated one. Whoever sits here has control over some seven million vehicles worldwide whose owners subscribe to the so-called “OnStar” system from GM. Even when it was first introduced in 1996, it could automatically transmit the vehicle’s location after an accident, similar to “E-Call”, which will be required EU-wide for all new cars starting in 2018. Today, OnStar is a kind of digital concierge: when you press the blue button in the rearview mirror, you are connected to a worker in Detroit. He navigates the driver to the nearest restaurant, books a hotel room, or checks the tire pressure and the engine.
All of this is possible because modern cars are connected to the internet 24/7. The car – and therefore the driver – is thus under constant observation. And not just that: via remote control, the company can immobilize the entire car. “These functions are in the interest of our customers,” says John Capp, who is responsible for global security strategy at GM. For example, if someone forgets their keys in the car, you can remotely open the doors with the press of a button. Or force the car to stop. “If a vehicle has been reported stolen, we carefully bring it to a stop in coordination with the police,” says Capp. He is enthusiastic about the technical possibilities: “Actually you can do almost anything nowadays.”
But it’s not clear whether this really is in the interest of the driver. As early as 2002, the FBI obtained a court order that turned an assistance system into a bugging device. The technical implementation, however, was difficult because the interception interfered with the driver’s ability to make calls. The company in question went to court, charging misuse of its system, and won. At the end of 2003, an appeals court in San Francisco annulled the monitoring authorization.
“That is only one case that has gotten to the public,” says Lee Tien, a civil rights activist at the Electronic Frontier Foundation (EFF). “No one knows how often we have actually already been spied on through such systems.” EFF complains that cars are no longer private, even though most customers still believe they are. “Of course we all want to make use of the advantages of connected cars. But that definitely does not mean that we want to be observed all the time.” And this development is just beginning: in addition to the authorities, more and more companies are interested in drivers’ information. “Even today, insurance carriers are offering discounts if drivers have a black box installed. Of course they will do everything they can to get as much information as possible in the future as well.”
Modern cars are connected to the external world on three levels. First: smartphones and other mobile devices connect to the car via the on-board system. Second: diagnostic programs monitor the driving behavior and the condition of the car. The information is either transmitted to the manufacturer (such as with OnStar) or saved on the on-board computer, and can then be read out in the workshop or by the police. Third: cars communicate with their environment (for instance, at toll booths) or with other cars. Such systems are still in their infancy, but are becoming increasingly important with regard to automated driving. In the future, cars will also be able to avoid one another if there is danger of a collision.
All of this may make travel by car safer. But new risks are evident as well. For example, unauthorized persons could hack the connection and, in extreme cases, completely control the car remotely. The IT experts Charlie Miller (a former NSA hacker) and his partner Chris Valasek have demonstrated this several times.
Most recently, they sent a reporter from the technology magazine Wired in a Jeep Cherokee onto the highway. After they turned the fans and radio on full blast, they slowed the SUV down to walking speed – using their laptops while sitting on their sofa at home. Later, in a parking lot, they even took over the steering and deactivated the brakes. Overall, pretty scary.
The problem affects all car brands equally. And nobody knows whether a driver would even notice an attack in case of an emergency. “Everybody loves technological advances in this country,” says Barry Horowitz, who has dealt with car hackers for years at the University of Virginia. “Nobody calls for jail until something goes wrong.” Horowitz used to run an arms manufacturer, and today he advises the military in questions of IT security, in addition to the auto industry. His assessment: “Nobody is really prepared.”
Horowitz doesn’t even make an exception for himself. When he parks his Audi in front of his office, the “Check Engine” light suddenly lights up. “It’s been happening for weeks,” the engineer complains, “and the repair shop can’t tell me what is happening.” Is someone in the process of hacking his car? “No idea,” says the expert. Unfortunately, there is no installed diagnostics program that would detect such an attack.
Even the police is not safe from such cyber attacks, as Horowitz recently demonstrated in an experiment. With permission from the authorities, the scientist hacked into a Chevrolet Impala and a Ford Taurus that belonged to the Virginia State Police. Horowitz blocked the transmission and thereby stopped the officer from driving away – in the future, criminals could escape the police in this way. Nonetheless: the authorities are gradually becoming aware of the problem. “The auto industry is keeping a low profile in this matter,” says Horowitz. He can understand this to a certain extent, because ultimately the industry fears for its good reputation.
“Of course no one can guarantee absolute security,” says GM engineer John Capp in the industry’s defense. “But one thing that is for sure is that 90 percent of all car accidents today occur due to human error.” And that is precisely what can be prevented with modern assistance systems.” For two years, GM has had a department for cybersecurity, and the US automobile industry has founded an umbrella organization in which security issues are discussed.
Time is pressing, because according to all forecasts the number of internet cars will increase dramatically in the coming years. For example, OnStar has even been available in Opels since September 2015. For Europeans sensitive to being monitored, there is admittedly a “Private” button installed. If you press it, the car is no longer supposed to transmit data to the manufacturer.
Interestingly, people all over the world are decidedly in favor of self-driving cars. This is shown in a recent study by the World Economic Forum. Of the 5,500 people that were surveyed, 58 percent said that they would be “very likely” or “likely” to ride in such a car. But the results were different from country to country: for example, 56 percent of all Indians surveyed would be “very likely” to get into a self-driving car. In Japan, however, only 12 percent said they would, while in Germany it was 21 percent and 27 percent in the US.
This article was first published in Süddeutsche.de (in German) on December 4, 2015. It was translated from English by David Colclasure.
Research was made possible by the Transatlantic Media Fellowship Program.
Please note that the views expressed by the author do not necessarily reflect those of the Heinrich Boell Foundation.