Are Modern Cars Vulnerable to Hacker Attacks?

The Boeing aircraft company’s new 787 Dreamliner, which is slated for delivery to customers in the airline industry this year, could not fly without some 6.5 million lines of software code that keeps all its avionics and supplementary onboard systems humming along. This incredible amount of software code – a.k.a. computer programming – would take up no less than 197,000 pages of regular, lined A4 paper … if you chose to write it out longhand in your ‘spare’ time. That’s the number of pages in about 1200 copies of a magazine – comprising a stack of really informative dunny reads about eight metres high. That’s a lot of code.

But not compared with a modern, premium class motor vehicle. These have substantially more code – about 100 million lines of it. (Think: stack of magazines stretching 130 metres into the air – enough to plaster the hangers for a squadron of 787s.) So in a sense, your modern vehicle and your home computer network have a lot in common. Only, instead of three computers, a modem, a router, a couple of printers, two iPods and two plug-and-play portable hard drives, a premium vehicle is a lot more complex. In premium vehicles you’re looking at between 70 and 100 networked electronic control units (ECUs) – each one like a little computer in its own right. You’ve got one looking at the engine’s fuel and spark, another looking at the electronic stability controls, and another waiting for the right conditions to fire off the airbags and pre-tensioners, etc.

In a very real sense, you’re not really driving around in a car any longer. You’re really riding in a large computer network with wheels and a transmission.  You’re going to park it under the Outback sun, which zaps it with something like 7kW of heat energy. Temperatures inside the cabin will exceed 60 degrees C. Then, later, you’re going to punt it down a corrugated track, park it in the frost and even dunk it in a river (or, worse, the beach). You might do that for 15 years. And then, when the chips are right down, a terrible impact is just milliseconds away from killing you, you expect the ECU controlling those airbags and the dozens of input sensors helping it to decide when to go ‘bang’ to perform flawlessly. Now there’s a scary thought.

In fact, electronics and software is such a big deal, automotively, that they now account for about 35 per cent of the production cost of a modern vehicle. In the past two decades, much more than half of all automotive innovation has been software or electronics-based. Grab your defibrillator for this next gem: according to industry experts, that software costs about US$10 a line by the time it’s encoded into the car – so for a LandCruiser, a GL or a Range Rover, as well as plenty of others, the code alone is something like a US$1 billion investment.

Although all of this reliance on code and electronics has made vehicles, on average, tremendously more reliable than their 1970s and ‘80s predecessors, it has made an admittedly smaller number of problems much harder to trace and fix.

It’s estimated that as many as half the engine control ECUs replaced around the world seem to be error-free. However, replacement is the only option since they cannot be fixed by technicians in dealerships. The complexity of vehicle IT systems also means insurers write them off after seemingly minor crashes because it is cheaper than de-bugging problems during repair. There are as many as 3000 functions used by the vehicle itself in a modern upmarket vehicle, plus something like 300 used by the people in the car to operate various systems like navigation, audio, trip computer, etc. About one-third of all this software is devoted just to diagnostics.

It’s no surprise, then that many recalls are software-related – the most recent of these being the Lexus GX460’s recall, which required a software upgrade to the ESC system.

A couple of years ago I was retained by a car company to give some feedback to engineers about steering feel and feedback on a particular model. Adjustments to the power assistance system were made by laptop. It was a pretty interesting job. I stupidly asked if I could have a go tweaking some of the parameters. It was politely explained to me that this was a bad idea: if I punched in the wrong numbers, the wheels might go left when I steered right…

All of this leads us to a rather obvious threat: hacking. Two researchers from the universities of California and Washington recently demonstrated how vulnerable a modern vehicle is to cyber attack. After plugging a laptop into a vehicle’s inbuilt diagnostic computer port researcher/hackers Stefan Savage and Tadayoshi Kohno were able to follow the compromised vehicle and, from their own laptops and via WiFi, were able to launch a cyber attack that prevented the brakes from working no matter what the driver did, then made the vehicle brake worryingly unevenly at high speed, killed the engine, and blasted the occupants with hot air and loud music while locking the doors. Apparently, modern vehicles are wide-open to this kind of malicious attack.