In March, the FBI sent out a public-service announcement warning about the threat of remote hacking in connected cars. A few months earlier, in December, two security experts hacked into a Jeep Cherokee and were able to access vehicle systems, shut down the transmission and, eventually, put the driver into a ditch as part of a demonstration. These instances are examples of the growing concern in the collision repair industry and among consumers surrounding vehicle security. Craig Smith, author of The Car Hacker’s Handbook, believes that hacking is the solution, not the problem. The issue, he says, all comes down to the perception of what vehicle hacking truly is. According to Smith, controlling a vehicle should not be the sole right of the auto manufacturer, and consumers should be able to modify and tinker with their own vehicles.
Smith, who started out in the security industry before moving to automotive, is the founder of Open Garages, a network of vehicle research labs that are centered on understanding complex vehicle systems. Open Garages provide public access, documentation and tools for today’s complex vehicles. He also runs Theia Labs, an independent security research company and speaks regularly on the topic of automotive security.
Smith sat down with FenderBender to discuss his views on vehicle hacking and why he’s worried about consumers getting “locked-out” of their vehicles.
Most people hear “hacking” and have a negative association with the word. What makes you feel differently?
We have a long history of hacking when it comes to cars. By hacking, I mean tampering and seeing how things work. As things became more electronic, a lot of people got out of it. I don’t think that’s right.
When a person purchases a car, he or she owns it. If a person wants to lease, an agreement is signed and that’s different, but if it’s not leased, it belongs to that person. Owners should be allowed to do what they want with their vehicles.
I encourage everyone to understand as much as they can about the device they buy. It’s important to know how a car works from a safety perspective, what is risky and what is not risky. Currently, we do not have a system that informs consumers on the precautions that automakers are taking to protect them from cybersecurity threats. The only way to know is to learn for yourself.
Doesn’t putting the information out there make it easier for remote hacking?
You have two choices: You can keep that information to yourself or you can publicize it. If you keep it to yourself, then the people who want to do bad things with it will still find a way. The bad guys will get at it. But, if you come out and talk about how remote vehicles can be accessed, that’s how you keep people from being susceptible. That’s how you get it fixed. The right thing to do is to talk openly about security so that everyone can have an understanding of it.
As far as keeping consumers safe from remote threats, how are automakers doing?
Automakers are starting to do a decent amount. They have definitely stepped up. Security reviews and updates are happening, which is good. I want updates, but I don’t want consumers to get locked out. I don’t want manufacturers to have all the control of a vehicle.
What are the common hacks that you think the industry will begin to see in the next few years?
What hacks will we see? If the industry doesn’t enable a clear method to make modifications, then the first hacks we see will be in the vein of jailbreaking. Just like the cellphone market, jailbreak techniques will be developed to unlock the security around the devices. Once the systems are modifiable, either through jailbreaks or vendor supplied methods, I would expect the new modifications will be similar to what we see now but with much better integration into the rest of the vehicle. You will not only be able to swap out components with third-party components but you will be able to interact with them using your infotainment/navigation unit in the same way you would with factory installed components.
What happens when a customer comes into a body shop with a vehicle that they have tampered with?
This is an important piece. What I recommend is that whenever a vehicle owner is doing an update or a modification, we need to have a flag and a secure boot area that keeps track of this. For those who don’t already know, a secure boot region is a section of a system that is in charge of setting up and booting the device. This region is separate from the actual OS and is a smaller mini-OS. This mini-OS can employ additional security checks and can store values such as “flags” that can be toggled on and off. Secure boot regions are the equivalent of a modern day BIOS for a PC.
When vehicle owners perform a modification, they assume responsibility. For example, if a vehicle with an ECU that has been modified comes into a collision repair shop, the customer assumes responsibility for the ECU. The automaker is no longer liable for modified parts. Ideally, when a vehicle enters a shop, the technicians would see any modifications that were made through a flagging system.
If a modification is made to a vehicle, isn’t there a possibility that a body shop would be unable to repair it?
That is always potentially a problem. If modifications are extensive, such as a Burning Man art car, a shop may very well want to turn that vehicle away. However, being able to create a modification that integrates with a vehicle is more likely to make it easier to work with a modified vehicle because it will still be able to communicate and report diagnostics like a factory-installed part. Any modification would remove the vehicle from warranty, but it would not make it more difficult to work on.
Where do you draw the line between something that an owner should be allowed to do themselves and what should be left up to a professional?
I think it’s important not to draw the line here. This same argument comes up with the original car manufacturers. The car manufacturers present the argument that they are the only ones with dedicated knowledge and testing, and therefore should be the only ones to modify a vehicle. This logic is very dangerous because, in essence, you build a society where only the large companies like GM can create innovations. People make modifications, not just to be unique, but often because the purchased device doesn’t fit their needs. If they have the skillset to build something great, we should always let them. If there are fears of certain types of modifications being unsafe then we should build affordable safety tests that a shop or an individual can take to prove their modifications are safe.
What should the collision industry anticipate for the future?
I’m hopeful that we can implement security and still enable the tinkering that has brought so much innovation to the automotive space. With 3D printers and electronic fabrication shops becoming more accessible, I can envision a new era of automotive modification and customization. Vehicles are largely software driven now, so modifications will need a compatible software component.
Jumping off of that, how common do you think modifications will be and how can body shops be ready for them?
There isn’t a whole lot a body shop can do to prepare yet because a lot of this is still in development. The best thing is to be vocal about the need to have the same access to the electronic communication as the factory components. Open, shared communication between the automotive manufacturers and the body shops will go a long way toward making a smooth transition into the new automotive era.
