January 29, 2015

A Word on Hacking the Connected Car

By Narayan Sainaney, CTO Mojio

There’s been a great deal of interest in the Internet of Things (IoT) and, in particular, connected cars. Of course, as more and more things become connected to the Internet, people worry about security.

With all the recent buzz around the connected car, security experts have demonstrated the potential risks  of unauthorized and even malevolent hacking of OBD connected car devices. These stories speak of being able to snoop into user’s driving habits and even go so far as to assert that a remote hacker could engage brakes or disable a vehicle while in motion. Of course, these are alarming possibilities in which the media, among others, love to anchor stories. It’s the combo platter of fear of new technologies and the realization of how they might be used for evil.

To put the current situation in context, generally speaking, these scenarios come from security researchers interested in promoting  their skills and/or security software to the burgeoning IoT industry. Of course, one way to sell a security product or service is by creating fear around “what if.”

Security, or lack thereof, is inherent in all systems designed for human use. It is a law of design that security and usability are at odds.

To illustrate the point, consider the analogy of a house. A comfortable home typically has front and back doors and any number of windows — each of these serves to degrade the security of the home while simultaneously enhancing the experience of living in it. In contrast, a bunker is far more secure however, its doubtful that most people would enjoy living in one. It is this consideration that technology pioneers face when developing new products.

OBD wireless devices are designed to unlock car data and deliver unique capabilities to car owners and drivers. These communications follow a complex, multi-layered, multi-protocol path to and from the vehicle’s onboard computer, which is in fact very secure. A number of these protocols are proprietary and therefore undocumented in order to protect them.

Mojio is the world’s leading open platform for connecting cars, which means we strive to provide legitimate apps easy access to data from vehicles. Much like everyday smartphone apps, Mojio consumers explicitly download Mojio car-connected these apps to their phones in order to use the services provided.

With respect to security, Mojio does not grant anyone direct access to the in-vehicle device. Developers and hackers (well-intentioned or malevolent) have access only to secure APIs that query cloud-based vehicle events and notifications. Mojio’s platform insulates the developer’s code from the car, and ensures that developers cannot communicate with the in-vehicle Mojio device.

Recent media coverage has highlighted researchers hacking other OBD devices and demonstrated their vulnerability to theoretical and actual remote control. The hackers raise some important theoretical means and questions about hacking cars, highlighting the need for diligence with regard to security. That said, it is important in this conversation to provide some context to the attention being paid to remote car hacking.

Today there are more than 200 million registered cars on the road in the US and since 1996, there have been between 200 and 265 different models of cars introduced into the US market every year. This means there have been more than 5,000 models of cars introduced to the market with an OBD II port. Each of these cars have a unique set of codes – about 2500 – that are used in many sequences to execute commands that vary within different years of the same model, as well as across different makes and models. Generally speaking, to hack into a car requires an inordinate amount of knowledge and effort.  First, the hacker must know a particular car has a particular wireless OBD device onboard and be capable of breaching its secure, remote communication line with the target vehicle. Then, once having access to and reverse engineering all the commands and sequences for the target vehicle, the hacker would have to know how to manipulate them to the desired effect.

Assuming the hacker has somehow gained access to this protected information and figured this out, they would also need to bypass existing security protocols within the vehicle itself to gain control of its systems and then to remotely control those systems. All of this needs to be done while maintaining a constant communication with a moving car and remaining undetected by the driver, the portal into the car and the car itself. While with enough time and patience this is of course is all possible and may allow a committed hacker access to activate or deactivate auxiliary functions of a single car, when viewed in context, the probability of car hacking on an individual level or a mass scale is extremely low.

And so, returning to the house vs. bunker analogy, our job is to find the most livable bunker possible that delivers on the promises and possibilities of connected cars, while keeping safety and security top of mind. Security will be an ongoing element of the car industry’s – and Mojio’s – technology future. Let me know if you have any thoughts on the subject at [email protected].