The Washington PostDemocracy Dies in Darkness

What we know about car hacking, the CIA and those WikiLeaks claims

WikiLeaks says it has a trove on the CIA’s hacking secrets. Washington Post national security reporter Greg Miller explains what these documents reveal. (Video: Dalton Bennett, Greg Miller/The Washington Post)

Tucked into WikiLeaks’ analysis of a trove of documents allegedly from the Central Intelligence Agency is a stunning line: That the agency has looked into hacking cars, which WikiLeaks asserts could be used to carry out “nearly undetectable assassinations.”

In making its claim, WikiLeaks links to meeting notes from 2014 listing “potential mission areas” for the CIA’s Embedded Devices Branch, which includes “Vehicle Systems” and “QNX.” The leaked documents, which The Washington Post could not independently verify and the CIA has declined to confirm, do not appear to suggest the vehicles be used for assassinations, and even WikiLeaks admits “the purpose of such control is not specified.”

The fear that your car can be hacked and made to crash is not new, and it’s not completely unfounded. Concerns about automotive cyber security have been raised since automakers began outfitting cars and trucks with computer-controlled systems.

Those concerns have been compounded in recent years as an increasing number of cars come equipped with connections, including satellite, Bluetooth and Internet, that experts say make them more vulnerable to hackers who can then gain access to the computerized systems without ever stepping foot near the actual vehicle.

Here is what we know about hacking into and remotely controlling cars:

Vehicles have been hacked before 

In 2015, security researchers Charlie Miller and Chris Valasek hacked into a 2014 Jeep Cherokee and managed to “turn the steering wheel, briefly disable the brakes and shut down the engine,” the Post’s Craig Timberg reported. The pair found they could also access thousands of other vehicles that used a wireless entertainment and navigation system called Uconnect, which was common to Dodge, Jeep and Chrysler vehicles. The hack prompted Fiat Chrysler to recall 1.4 million vehicles.

“It doesn’t appear that any manufacturers currently have detection/prevention methods for such attacks,” Valasek said via email Tuesday. “Remember, Charlie and I did all this research in our spare time with limited resources. ”

The Miller and Valasek hack is widely reported, but it wasn’t the first or even most recent successful security breach. Researchers from the University of Washington and the University of California at San Diego published papers in 2010 and 2011 showing that vehicles could be compromised when hackers gain access, either in person or remotely.

Last year, researchers in Germany released a study showing they could unlock and start 24 different vehicles with wireless key fobs by taking control of the device remotely and amplifying its signal, Wired magazine reported. While the wireless key fob was still on the kitchen counter, hackers could be driving off with the car, researchers claimed.

Yoni Heilbronn, the vice president of marketing at Argus Cyber Security, an automotive security company, said: “The equation is very simple. If it’s a computer and it connects to the outside world, then it is hackable.”

Hackers could crash your car, but it’s unlikely 

Perhaps the greatest car-hacking fear is the idea that someone could take control of your vehicle and drive it over a bridge or into a brick wall.

The WikiLeaks release even renewed suspicions about the death of journalist Michael Hastings, who was killed in a single-car accident in Los Angeles in 2013.

“You could envision doing all sorts of things, such as waiting until the car is going above a particular speed limit and then apply one of the brakes or steer [the wheel] in cars for which you can control the steering,” said Stephen Checkoway, an assistant computer science professor at the University of Illinois at Chicago.

That fear is not without merit. As Miller and Valasek demonstrated, hackers have compromised some of the vehicle’s most critical functions and safety features before.

But those hacks require time and technical know-how to execute, making an attack something a run-of-the-mill criminal is unlikely to carry out, said Sam Lauzon, a researcher and developer at the University of Michigan Transportation Research Institute. What’s more, automakers are increasingly isolating the computers that control the vehicle’s most sensitive systems, meaning they cannot be breached even if hackers tap into other technologies, such as the entertainment system, he said.

“The likelihood of someone driving you off the road while you’re driving down the freeway is very slim,” Lauzon said. “Very slim.”

The WikiLeaks CIA documents did not appear to offer details on how the agency intended to hack into vehicles.

Your entertainment system is most vulnerable

Also listed in the WikiLeaks document of “possible mission areas” is QNX, a popular operating system for in-car entertainment and navigation technologies. Since 2010, QNX has been owned by the company now known as BlackBerry. The system has been used in more than 50 million vehicles that range from Audi to Ford to Maserati, according to the company.

“Providing the highest level of security has always been at the core of our mission,” a BlackBerry spokeswoman said in an email. The company added that its security research groups constantly monitor software for vulnerabilities that need to be fixed.

Lauzon speculates that hacking the operating system could allow the CIA to track a vehicle’s movements, listen to conversations, or monitor other data that passes through the system.

The entertainment system is typically one of the most vulnerable to attack because it’s so highly connected to the outside world, both Lauzon and Heilbronn said. Connections to cellular networks, Bluetooth, WiFi, etc. often come through the system, allowing you to play music, take phone calls, look up directions or connect to other applications.

It’s hard to tell when a vehicle has been hacked 

The “nearly undetectable” assertion in the WikiLeaks claim likely stems from the fact that it’s difficult to determine when a car has been hacked, experts say.

“Today, manufacturers really have no idea what’s going on,” Heilbronn said. “They have no idea if it’s been hacked or not.”

There is no mechanism to alert manufacturers when a car is behaving erratically or appears to otherwise be compromised, Lauzon said. But technology companies and automakers alike have such technology under development.

“I haven’t seen one fitted on a vehicle at assembly time, but it’s something they’re looking into the feasibility of,” Lauzon said.

Automakers are aware of the problem

Today, Miller and Valasek work at ride-hailing company Uber. Auto manufacturers and transportation companies have scooped up a number of cyber experts in recent years, part of a concerted effort in the industry to build products with stronger security features.

Carlos Ghosn, the head of an alliance that includes Nissan, Mitsubishi and Renault, told a crowd in Washington last week that the employees building the alliance’s self-driving and connected car technologies are “surrounded by cybersecurity specialists who spend their time analyzing what could go wrong.”

“We take it very seriously because we know the end ticket to this technology is making sure that we’re going to reassure the regulator that you have a sufficient level of cybersecurity,” he said.

One of the challenges nagging automakers is how to update security software once it is installed in the vehicle. Cyber threats are always changing and upgrading a car’s security software through downloads — much as you would update the software on a smartphone — has only recently become feasible.

In 2015, auto industry players created the Automotive Information Sharing and Analysis Center to swap information about cyber security threats and how to combat them. Then last October, the National Highway Traffic Safety Administration published a cyber security “best practices” guide for automakers with suggestions for building more secure vehicles.

Computers in cars are actually a really good thing

Before you rush out to buy a dated vehicle to avoid the latest technology, it’s worth noting the benefits of driving computers on wheels.

Many modern safety features depend on computers and software to function, including anti-lock brakes, lane-assist technology and automatic crash notification. They also help under the hood to make the engine more energy efficient and provide conveniences, such as the ability to make phone calls with both hands on the wheel, Checkoway said.

“That they have enable new attacks is worrying, but on balance computers have improved safety,” he said.

What you can do about cyber threats

The short answer is not much.

As Heilbronn points out, car security is not like picking out Norton or McAfee anti-virus software for your laptop. Automakers have to build cybersecurity protections and software into the vehicle before it ever hits the road, and continue to update those programs as new threats emerge, he said.

“Today, the average customer doesn’t have any knowledge as to what should be installed,” Heilbronn said.

Lauzon does have one small piece of advice: avoid installing your own onboard diagnostics, or OBDII, devices, which can monitor a car’s performance, provide Internet connections and other features. These devices can communicate with the vehicle’s internal systems but may rely on insecure wireless connections, he said.