Picture this: You’re driving along a stretch of road, and an unseen force takes over. The car picks up speed, then swerves—without your touching the accelerator or turning the wheel. You're no more than a helpless passenger. What just happened? Your car has been hacked.

It’s a frightening scenario. But how real is this threat? Real enough that car manufacturers and security experts from the federal government are taking it seriously.

“Any cyber expert will tell you that you can’t prevent it; it’s just a question of when,” says Mark Dowd, assistant general counsel for Global Automakers, a coalition of car manufacturers working to combat the looming threat of cyber attacks.

Part of the heightened concern about the risk of a car being hacked comes from the increased use of computerization and electronic features in new cars. Systems such as self-parking capability, steer-by-wire, and automatic cruise control give vehicles the ability to partly drive themselves—and that theoretically increases the risk of vital controls being hacked. (Read "Can Your Car He Hacked?")

As of now, a hack is difficult to pull off. But if carmakers standardize their software and firewalls, and become more uniform, it could attract the attention of hackers.

However, if software engineers with the automakers and the National Highway Traffic Safety Administration (NHTSA) have anything to say about it, these attacks will never happen. It’s their task to stay a step ahead of anyone who might seek to hack a car or groups of cars—whether it’s terrorists, tech-pranksters, or someone seeking personal revenge.  

At a lab on the grounds of the sprawling Transportation Research Center in East Liberty, Ohio, a team of NHTSA engineers spends their days hacking into vehicles. Consumer Reports was recently invited for an exclusive, behind-the-scenes demonstration to find out what the agency is doing to keep cars safe from a cyber attack. (Watch our video.)

NHTSA Electronics Project Engineer Frank Barickman and his team showed us what kinds of hacks are possible—and which are not—using two test vehicles, a Ford Fusion and a Toyota Prius. The cars were chosen simply because they are commonplace, not because they have any particular vulnerability. The project team has uncovered ways to manipulate the ventilation fans, windows, lights, horns, door locks, seat-belt tension systems, instrument panels, brakes, steering, and engines—all while the cars are in motion.

NHTSA’s computer engineers are able to perform their hacks thanks to high-powered engineering talent, intimate knowledge of the car’s software coding, unlimited access to the car, and a hard-wired connection to the car’s control center. Barickman is not aware of any real-world hack without physical access to a car—despite what a consumer might conclude from certain news reports and online videos.

However, NHTSA is using those learnings to determine the extent of what automotive systems could be hacked and how vulnerable these systems are, as well as how soon and how easily these hacks could be performed routinely and remotely. (Read "Your Personal Driving and Car Data Could Be at Risk.")

In concert with NHTSA, a consortium of automakers is working to combat the threat of cyber attacks, through the planned formation of an industry Information Sharing and Analysis Center (ISAC).

The automotive ISAC also will address the larger issue of consumer data privacy. However, how soon there will be any substantive improvements to car security and privacy has not been publicly stated.
 

In the interim, what can you do to be as vigilant as possible?  

Don’t plug any unknown or unscreened devices into your car’s USB or OBD-II diagnostic port, including thumb drives used to store music. Those are connections that could introduce malware—malicious software that could change or render vulnerable your car’s computer system.

Also, use only a mechanic you trust, because your car’s diagnostic connection is a “vector” where malware could be installed that could allow a gateway for a remote hack. Locate your car’s OBD-II port (typically under the dash on driver’s side) and familiarize yourself with what it looks like. If there's ever anything unusual plugged into it, or if it looks as if it's been tampered with, call your dealership.

Consumer Reports will stay on top of this topic as it evolves and will update readers as we learn more.

Read our special report, “In the Privacy of Your Own Home,” to learn about the connected devices that are tracking your daily routine.

—Jim Travers


 

Copyright © 2005-2015 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.