Hacking connected cars: How scared should you be?

Illustration file picture.

Illustration file picture.  (REUTERS/Kacper Pempel/Files)

Does playing Pandora through your dashboard put you at risk of being driven off the highway by malicious hackers? It might, according to work by computer researchers and a survey published this week by Sen. Edward Markey, D-Mass.

The survey comes during the same week President Obama sits down with Silicon Valley tech titans to discuss cyber security, an issue that gains in prominence as more devices become connected the Internet. One of the greatest cyber threats may be to automobiles as cars morph into rolling computers.

Much of the technology - scores of processors in most vehicles - is aimed at making cars safer, but this growing technical complexity also affords hackers an opportunity to digitally break into vehicles and wrest control of the vehicle from drivers. As Sen. Markey's office discovered, auto makers are not anxious to discuss issues of cyber security and privacy - several companies decided not to respond to the Tracking & Hacking questionnaire - but the issues are real.

Back in 2011, a Nissan Leaf owner discovered that the car's onboard Carwings system could be used to pull down personal information remotely using an RSS feed without the driver's knowledge. Speed, location, and direction could be tracked. While the loophole was quickly plugged by Nissan, it was an unsettling discovery.

Drivers are understandably sensitive to the issue of privacy and security. That same year, when GM tried to change the terms of how it uses information collected from OnStar, the safety and communications system, users became irate with the idea that their private information might be sold to other companies. It was such a contentious issue that the Supreme Court later cited it in a decision regarding expectations of privacy in the car.

Since then, the technology in cars has advanced rapidly, including semi-autonomous features that automatically steer and brake a vehicle. The 2015 Corvette even has an optional system for recording video from the car. And voice recognition systems commonly send the driver's spoken instructions to servers on the Web to process, a practice that caused mild hysteria when Samsung admitted earlier this month that its TVs did the same thing.

Researchers have repeatedly demonstrated how cars could be used to eavesdrop on drivers and passengers, as well as how to take over braking and steering. Two researchers, Charlie Miller and Chris Valasek, have shown how to perform such hacks, and last summer they examined car computer systems and ranked models for security. Only one Audi model seemed to have been designed with security in mind.

The problem stems from what scientists call the attack surface, the various possible points of entry available to a hacker. Now the attack surface has broadened because of a multitude of electronic safety systems (like adaptive cruise control) and common wireless technologies - cellular data, Wi-Fi, and Bluetooth, for example - that enable remote access from anywhere in the world.

DARPA, the government's Defense Advanced Research Projects Agency, recently demonstrated such a remote attack for the show “60 Minutes.” Scientists took control of a car from the reporter behind the wheel, jamming on the brakes and later driving it through a row of pylons.

"It's more like the kinds of vulnerabilities we've come to expect in our desktop software," John Launchbury, a program manager at DARPA told FoxNews.com. "They get patched regularly as bugs are identified." But, he added, that's not the ideal approach for securing automotive systems.

"No one wants to have to regularly patch their cars," Lance Cottrell, chief scientist at cybersecurity firm Ntrepid, told FoxNews.com.

And no one wants to wait until there's an accident or fatality to find a flaw.

Some of the security problems can be quickly addressed. Not allowing automatic Bluetooth pairing would be a first step, albeit at a slight sacrifice in convenience. Researchers also say that automakers need to use standard encryption and security protocols. More difficult is the idea of preventing data from being sent to a car through its cellular connection since that's how navigation and other information is conveyed; it's also how some future software fixes could be transmitted.

More troubling is the way these systems are pieced together. The company that makes an electronic control unit for the braking system may not have access to the computer code for the rear view video camera or cellular data connection, for example. It's the integration of these multiple layers where vulnerabilities are found.

Fortunately, there's been no reported instance of a criminal duplicating the DARPA stunt. So the world of cyber hijacked cars taking us on wild rides or creating accidents is not yet upon us. Texting while driving and failing to wear a seat belt are more immediate threats. But it's also obvious that as automakers advance upon the future of autonomous cars they are going to have to take security and privacy concerns much more seriously.

John R. Quain is a personal tech columnist for FoxNews.com. Follow him on Twitter @jqontech or find more tech coverage at J-Q.com.