PARIS – Among a host of documents – allegedly taken from the Central Intelligence Agency (CIA) – released to the public this week, WikiLeaks disclosed, “As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.”
WikiLeaks’ links to meeting notes from 2014, which listed “potential mission areas” for the CIA’s Embedded Devices Branch that included “Vehicle Systems” and “QNX.”
The thought of hackers – or terrorists – remotely hacking into your car, taking over the control, and crashing it with you inside seems like a scene out of a spy novel. It’s terrifying. But not so surprising, even to the general public, is to learn that the spy agency might have contemplated such a plot.
But this isn’t the scenario that scares the automotive industry. Ransomware does.
Security experts in recent months have publicly predicted that 2017 will be the year hackers first target vehicles with ransomware.
Andy Davis is one expert who thinks it will happen.
Davis is transport assurance practice director at NCC Group (Manchester, the U.K.), an information assurance firm covering software escrow and verification, and cyber security consulting. He belongs to a technical steering committee of Fastr (Future of Automotive Security Technology Research), an industry group founded to foster cross-industry collaboration on automotive security technology.
"Ransomware," so called because it blocks a person or company's computer until a fee is paid to unlock it, is fast rising throughout the world.
According to the SonicWall security team GRID Threat Network, ransomware attacks grew to 638 million last year, an explosive rise from 3.8 million attacks in 2015.
Thus far, none of those attacks were aimed at vehicles, however.
We caught up with Davis and asked him what automotive ransomware entails, the eventual ramifications for automakers, and why he believes the vehicle is the next target.
Scenario for automotive ransomware
Picture yourself in your car. You’ve turned on the engine, and a message pops up on the dashboard.” The message says, “This car has been hacked. Pay up XXX dollars in the next Y days, or we won’t allow you to start the car.”
This could be a very simple attack. It could be a bogus message. But you can’t help but wonder what will happen the next time you hit the ignition. Will it start? Will it blow up? Will it crash intentionally into someone else?
“Few drivers would take the chance.” said Davis. Most likely, they would get out of their car and simply walk away, because those ransomware messengers “are inducing fear.” Ransomware typifies an aspect of “social engineering” – in the hacking sense --designed for psychological manipulation.
There is a second scenario, said Davis, that “can be more lucrative but potentially riskier.” Hackers could go directly after car manufacturers for extortion. They’d play “a reputational angle,” he said. Of course, the bigger the car OEM they target, the greater law enforcement’s involvement, which could result in the hackers’ capture.
In principal, ransomware is no different from computer malware. When a computer or a smartphone user opens an attachment, he could be accidentally installing into his device ransomware instead of a virus.
Next page: Just like smartphones