By Ben Gorban, IACP Law Enforcement Cyber Center and Highway Safety Initiatives; and Michael Wagers, PhD, Director, IACP Law Enforcement Operations and Support Division
Car hacking is definitely coming…
he statement above was spoken by Zoz, a presenter at a hacking convention in Las Vegas in August 2013.1 His presentation followed an explanation by two computer security experts of how they had spent the previous 10 months hacking into the computers of two popular vehicles with self-driving features. The hacks the computer security experts were able to pull off included disabling the brakes of the car; taking full control of the steering wheel; tightening the seat belt; turning off the engine; turning interior and exterior lights on and off; and making the console show a full tank of gas when it was not full.2
While manufacturers have set their sights on the end of the current decade for the release of the first entirely autonomous vehicles, many are already marketing a wide range of innovations intended to reduce crashes and increase roadway safety. In addition to some of the features that the computer security experts were able to hack, autonomous safety features such as in-vehicle crash avoidance systems and single-function automated systems are becoming standard, especially in luxury vehicles. These and other electronic features are able to reduce the probability of a crash occurring and enhance the safety and survival rate of drivers and passengers if a crash does occur.
The risk of autonomous systems being hacked certainly has numerous implications for the law enforcement field. Automated safety features hold great promise for highway safety and have the potential of significantly reducing the more than 32,000 deaths caused by crashes in the United States every year.3 The increased automation of vehicles and crash avoidance systems also has the potential to improve officer safety. According to the National Highway Traffic Safety Administration (NHTSA), from 1982 to 2008, officers driving too fast, failing to remain in the proper lane, and running off the road were the leading causes of crashes among law enforcement.4 In fact, in the decade from 2003 to 2012, automobile crashes were the second leading cause of law enforcement deaths, resulting in the death of 457 officers.5
However, as the computer security experts were able to show, electronic systems that are becoming critical to the functioning of automobiles also leave vehicles vulnerable to hacking. All three presenters at the hacking convention reiterated that the goal of their hacks was not to cause widespread havoc, but to demonstrate that autonomous safety features and vehicles need to be made more secure.6
Technology Can Reduce Highway Fatalities
According to the Insurance Institute for Highway Safety, existing safety features such as forward collision avoidance systems and adaptive headlights that shift direction as the driver steers have already significantly reduced the number of crashes.7 More complex technologies such as vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications are also being developed around a Federal Communications Commission–licensed spectrum that is capable of supporting a number of safety applications that requires the almost instantaneous relay of information. These technologies enable vehicles to automatically send and receive messages and warnings so drivers can take actions to reduce the likelihood and mitigate the effects of crashes.
Current research being conducted by the University of Michigan’s Transportation Research Institute on V2V technologies includes nearly 3,000 vehicles equipped with V2V communication devices that send and receive messages that translate the data into warnings during specific hazardous traffic scenarios, such as crashes at blind intersections, changing lanes into the path of a vehicle hidden in a blind spot, or impending collisions with the rear-end of a vehicle stopped ahead.8 Based on the early results of this research, NHTSA has estimated that the information provided by V2V technology could “address about 80 percent of crashes involving non-impaired drivers once the entire vehicle fleet is equipped with V2V technology.”9
Highway Safety and Cybersecurity
While vehicle automation and autonomous vehicles create opportunities to improve highway and officer safety, they also create opportunities for criminals, hacktivists, and others.
Manufacturers are increasingly using wireless networks to connect to the Electronic Control Unit (ECU) that controls the brakes, engine, locking mechanisms, and other important systems within individual vehicles. Internet-enabled mobile devices can then be synced with the ECU to lock and unlock doors and windows, start the ignition, and control the temperature remotely. While in many cases, the opportunity to control some of the most basic functions of a vehicle remotely serves a useful purpose, it also provides hackers with an opportunity to subvert these functions and take over a vehicle. In 2010, a joint study conducted by researchers at Rutgers University and the University of South Carolina demonstrated the extent to which researchers were able to take advantage of vehicles from more than 100 feet away. The researchers were able to access the sensors inside the tires of certain vehicles and send false low air pressure warnings to the dashboard display. The damage was even greater when the researchers traveled alongside the vehicle they hacked—researchers driving next to the vehicle were able to entirely break the ECU to the extent that it was inaccessible and non-functioning. Even after attempting to reset the system, restarting the car, driving for hours, and removing the car battery, the ECU was still inaccessible and needed to be replaced.10
More importantly, V2V and V2I technologies, the spectrum set aside for them, and the vehicles equipped with these technologies are also susceptible to cyber intrusions that can pose challenges to law enforcement agencies. Hacktivists and criminals may be able to hack into the spectrum and vehicles and manipulate or delete incoming and outgoing data and important warnings. If such an intrusion or attack occurred during rush hour or other high-traffic times, the effects could be costly for safety on the roadways. Crashes cause significant traffic delays and potential injuries and deaths, and these ill effects could be multiplied exponentially in a coordinated attack.
Automation and the IACP Law Enforcement Cyber Center
Recent innovations have and will continue to improve the safety of vehicles, officers, and roadways. As former Secretary of the Department of Transportation Ray LaHood noted, “Whether we’re talking about automated features in cars today or fully automated vehicles of the future, our top priority is to ensure that these vehicles—and their occupants—are safe.”11 It is important to ensure the cybersecurity of these features and vehicles is also considered as the industry moves forward.
To that end, the IACP Law Enforcement Cyber Center, which is supported by the Bureau of Justice Assistance, will continue to provide updates about the nexus between highway safety and cybersecurity; will continue to seek the input of the Highway Safety Committee, Computer Crime and Digital Evidence Committee, and other state and local law enforcement subject matter experts; and will continue to engage with federal and private-sector partners to ensure that the vehicles of today and the vehicles of tomorrow are safe and secure. ♦
1Seth Rosenblatt, “Car Hacking Code Released at Defcon,” CNET News, August 2, 2013, http://news.cnet.com/8301-1009_3-57596847-83/car-hacking-code-released-at-defcon (accessed January 2, 2014).
3National Highway Traffic Safety Administration, Fatality Analysis Reporting System (FARS) Encyclopedia, http://www-fars.nhtsa.dot.gov/Main/index.aspx (accessed January 8, 2014).
4Eun Yong Noh, Characteristics of Law Enforcement Officers’ Fatalities in Motor Vehicle Crashes, January 2011, DOT HS 811 411, 22, http://www-nrd.nhtsa.dot.gov/Pubs/811411.pdf (accessed December 30, 2013).
5National Law Enforcement Officers Memorial Fund, “Causes of Law Enforcement Deaths,” updated April 2013, http://www.nleomf.org/facts/officer-fatalities-data/causes.html (accessed December 30, 2013).
7Viknesh Vijayenthiran, “Study Finds Early Autonomous Car Tech Reducing Crashes,” Fox News, July 16, 2012, http://www.foxnews.com/leisure/2012/07/16/study-finds-early-autonomous-car-tech-already-reducing-crashes (accessed December 31, 2013).
8“Innovation, Safety, and Autonomous Driving,” remarks prepared for David Strickland, Administrator, National Highway Traffic Safety Administration (Greater New York Auto Dealers Association, World Traffic Symposium, New York, NY, April 5, 2013), http://www.nhtsa.gov/staticfiles/administration/pdf/presentations_speeches/2013/DS_GNYADA_Safety_Symposium_4-5-2013.pdf (accessed January 8, 2014).
9Hearing on The Road Ahead: Advanced Vehicle Technology and Its Implications, Before the U.S. Senate Committee on Commerce, Science, and Transportation, 113th Cong. (testimony of David L. Strickland, Administrator, National Highway Traffic Safety Administration, May 15, 2013), 3, http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=566d5c52-be38-4245-ab44-1ccbf2f198db (accessed December 27, 2013).
10Ishtiaq Rouf et al., Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study (2010), http://www.cse.sc.edu/~wyxu/papers/TPMS2010.pdf (accessed January 8, 2014).
11Karen Aldana, “U.S. Department of Transportation Releases Policy on Automated Vehicle Development,” press release, May 30, 2013, http://www.nhtsa.gov/About+NHTSA/Press+Releases/U.S.+Department+of+Transportation+Releases+Policy+on+Automated+Vehicle+Development (accessed December 31, 2013).
Please cite as:
Ben Gorban and Michael Wagers, “Car Hacking—The Risks and Implications for Law Enforcement,” Highway Safety Initiatives, The Police Chief 81 (February 2014): 60–61.