In college, I worked as a computer technician. Later, I spent some time doing IT and other management tasks/training/security for larger operations, mostly medical offices. I’m not a cybersecurity expert by any means, but my past experience securing and maintaining networks makes the recent news of a massive cyberattack against the United States a very interesting story.
I’ve seen a few people asking on Twitter if their vehicles (Tesla and other brands) are safe from these cyberattacks. In short, yes, they’re likely very safe, but nothing is perfectly safe and that may change, too.
To explain this, I’d like to explain why government offices and corporations are so vulnerable and how your car (whatever brand it is) won’t fall to hackers as easily.
Why Governments & Corporations Get “pwned”
In agriculture, growing only one crop in a large area, and growing it again year after year after year, makes it easy to manage the crop and keeps costs lower. There’s a downside, though. Because the food source never changes, pests and diseases build up and can eventually kill broad swaths of the crop. Historically, this has led to famines.
Go into nearly any corporate or government environment, and you’ll see the same stuff everywhere. Computers with Intel processors run Microsoft Windows. Almost everybody runs just a few brands of networking gear (routers, switches, etc). While web servers run Linux in many cases, corporate and government servers are all too often Windows, too.
Like crops, it’s easier for pests (hackers) and disease (malware) to build up when everything is the same. This is a big part of what made so many organizations vulnerable to the most recent round of Russian hacking.
Many organizations used a network management software called SolarWinds. While using management software is great for making IT’s job easier, everyone is more vulnerable when too many people use the same management software. Instead of having to hack everyone, the Russians only had to hack SolarWinds, and then their servers were able to push out corrupted updates to everyone’s networks.
To be fair, it’s hard to diversify a network. Software vendors often only support Windows, even when it makes almost no sense (web-based software is even Windows only at times). IT workers are often only trained to support Windows computers and Windows servers. Ask an outside firm to come help you set up a network, and most of them will try to sell you the same stuff.
Everyone involved in making IT decisions would have to be very committed to computer diversity to do this, and that’s almost never the case.
Computer Education is Garbage
Computer Education in the US and most other places is garbage. There’s no nice way to say it.
Most computer education consists of telling people how to use Windows (and maybe Mac OS X if you’re lucky), how to use Microsoft Office, and very little else. Basic concepts of how computers work, what a computer network is, what the internet is, and how to not invite hackers in the front door are all missed.
Penetration testers (people hired to find security weaknesses in an organization) can almost always walk in the front door, quite literally. If you show up to a company or organization and look legitimate enough, employees will often let you in and give you access to the computers and servers. Sure, things are usually locked down with passwords, but that’s easy to get around in most cases with only a USB drive.
Once someone has physical access to your network, they can plant spy software or open virtual backdoors to steal your information later.
Want some more proof that computer education is garbage? Look at Nord’s top 200 passwords list. The top password is 123456 and #2 is 123456789. #4 is literally “password.” It’s the kind of thing an idiot would have on his luggage.
Spaceballs jokes about passwords aside, everybody’s doing stupid stuff with their passwords, even if they’re good passwords. It’s not uncommon to see a computer’s password on a post-it note stuck to the monitor. Even IT workers sometimes have a notebook in the server room with “documentation”, including critical passwords to key systems.
Even worse, trained people just get lazy. The government agencies that got hacked hadn’t implemented DHS-recommended security practices in most cases.
Failure of Imagination
Another thing I learned in college (mostly in emergency management and homeland security coursework) is that most people have never cultivated the ability to put themselves in the enemy’s shoes.
People don’t lock their doors, especially on cars, far too often. People leave valuables out in the open, or do a piss poor job of hiding them (sorry, but thieves will look under your mattress first). People invite strangers to come in the door, while opening your door at all for someone you don’t know is just as bad.
For most people, the idea that someone might be out to get them is too frightening to even consider. This “head in the sand” attitude leads many people to ignore what should be the most basic security measures and practices. If you want to secure your home, your workplace, or anything else you have responsibility for, use your imagination. Stop to think about how you’d attack the place you’re protecting, and you’ll see exactly where you need to beef up the defenses a bit.
Aside from just paying attention to what’s going on around you, your imagination is your best defense.
But Can’t Microsoft Just Fix This?
A former Microsoft employee wrote an article about how Microsoft used a combination of remote tools, lawyers, and Windows Defender to put a serious kink in the hackers’ hose. He called their ability to respond “the Death Star.”
While it’s great that they can respond like this, I can guarantee that they won’t respond like this (if they respond at all) if your small business or tiny state government office gets hacked like this. By making Windows relatively insecure for user friendliness, Microsoft leaves its users vulnerable.
If you want real security, you’ll need to educate yourself on what it takes or spend good money getting some professional help.
Why Aren’t Hackers Breaking Into My Car?
Now that I’ve explained why most organizations’ computer networks are so vulnerable, let’s talk a bit about why your car isn’t getting hacked.
Variety of Hardware and Software
Unlike offices, your car probably didn’t have much in common with the car next to it the last time you were stopped at a light. To execute a mass hack of everyone’s cars, attackers would have to hack hundreds of different types of systems, running different software and connected to other computers in the car in different ways. There’s a lot of diversity.
With connected cars, all cars aren’t connected to the same telematics network. Tesla cars have an encrypted connection to Tesla’s servers. Even if an attacker hacked Tesla’s servers, they couldn’t hack a Ford or a Nissan. To create a truly widespread car problem in a country, they’d have to hack most manufacturer’s servers, and not just one place.
Cars are often “air gapped”
While most newer cars have a computer network of some kind, that network is usually not connected to the internet. There are over a billion cars in use, but only around 28 million have an internet connection.
Without an internet connection, an attacker would have to gain physical access to your car to hack it. Even then, there’s almost no incentive to do so. Your car’s computer probably contains very little personal information, and even if hacked, they can’t affect the car’s steering, brakes, or engine/motor in any serious way in most cases.
Car Computers Aren’t “Swiss Army Knives”
Office computers are built and programmed to do a large variety of tasks. To be able to do all the different things they do, they have to have a lot of capability that goes unused most of the time.
Even if your car is connected to the internet, it’s not like a personal computer at all. The car’s computers are all made to do very specific things. To avoid wasted resources that drive up costs, cars aren’t built with much spare capability. The infotainment computer is made to play music, navigate, and change the car’s settings. The hardware might be able to do more, but he software just isn’t there to do other things.
Your car’s computers probably don’t have your credit card information, your emails, or most of the other things a hacker would want. There’s also very little chance, even in the most computerized of cars, for them to get in and mess up the car’s propulsion, steering, braking, etc. because the attackers would have to write a program from scratch to do all that, assuming the car’s computer could even run the code.
Most People Understand Car Security
Most people understand that you can’t leave your car unlocked or leave the keys in it. While that’s not always true, it’s far less common for people to engage in these lax car security practices.
There are attacks car thieves can use to gain access to your car, like remotely cloning your car’s key fob and re-transmitting that signal to the car to unlock it. Even in those cases, they’re more interested in stealing the car than gaining access to the computers in it, because they’re so limited.
Many people keep their car’s fob in a chip bag or other Faraday device at night because they know about these attacks, but their computer’s password is probably 12345. That’s quite a gap in knowledge.
This Could Change
If you’re someone worth attacking, like a dignitary or CEO, your car might be the target of hacking eventually, but the hackers would have to put a lot of effort in. They’d have to figure out which servers get them into your car or learn the car’s internal communication protocols in the event they gain physical access to your car.
Next, they’d have to figure out how to make the car do what they want, and that’s where the challenge is right now. Safety wise, the most they’ve been able to do is make a car stall out so far, but they needed a lot of information to do that. Theft and stealing your location data are the other two things they can really do at the moment.
However, as cars increase in complexity, more attacks could be possible. Autonomous cars, for example, might one day be hacked to change your destination and lock you inside for a mugging or abduction. At present, nothing of that kind has been documented. Again, you’d probably need to be a high-profile target for things like that to happen.
Going forward, the best things you can do to protect yourself from future vehicle hacking is to use common sense. Make your passwords hard to guess. Keep strangers out of your vehicle. Make sure your vehicle gets the latest security updates.