HOME > OUR THINKING > Media & Communications > NEWS

WikiLeaks' reveal could make 'smart' cars smarter

From voice-activated navigation systems to remote checks on tire pressure, internet-connected features in cars have become increasingly common.

While researchers have been investigating security issues in connected cars for years, documents recently released by WikiLeaks could prompt more scrutiny from consumers and manufacturers.

According to WikiLeaks, the CIA in 2014 looked into the potential to hack into connected cars and trucks, though the site said it was unclear what the agency would do with any information it collected. The CIA has declined to comment on or confirm the WikiLeaks documents.

A spokesperson maintained the agency's "activities are subject to rigorous oversight to ensure that they comply fully with U.S. law and the Constitution."

"This kind of information creates alarm, but it doesn't change consumer purchasing behavior," said Don Bailey, founder of Internet of Things security firm Lab Mouse Security. He was one of the first researchers to demonstrate the potential of car hacking with a 2011 presentation that broke into a Subaru Outback using a series of text messages.

"What has changed is the way that the Federal Trade Commission reacts and the way that the FTC and the Federal Communications Commission enhance their guidelines to ensure that manufacturers are doing a better job of providing quality technology to consumers," he said, noting that forcing a regulatory change may be WikiLeaks ultimate goal.

Brad Russell, an IOT analyst at the research firm Parks Associates, said in an email that WikiLeaks' reveal simply added to a number of high-profile security and privacy breaches in recent months that created a "cloud of consumer anxiety over connected devices" of all sorts.

For instance, one recent study revealed that almost half of U.S. broadband households are "very concerned" about hackers getting access to their connected devices or the devices' data.

While these concerns might not dissuade early adopters, as the number of connected cars and devices grows each year, they may "be stunting adoption that could be growing faster or serve as a barrier to wider mass market acceptance," Russell said.

One system the CIA reportedly focused on is QNX, an in-car operating system made by BlackBerry that powers many of the "infotainment" systems by car-makers such as General Motors, Toyota, Jeep and Ford. BlackBerry COO Marty Beard said the company was not aware of any "attacks or exploits" against QNX or other BlackBerry products, though the leak was unsettling nevertheless.

SNL Image

A driverless car
Source: Nayva

"Still, the news is a bit frightening," he wrote in a blog post, noting that cybersecurity concerns could deepen with autonomous cars. "The notion that someday a car could be hacked and used to carry out a nearly undetectable assassination doesn't seem all that far-fetched."

But Bailey called that particular claim, stemming from WikiLeaks, "100% hyperbole."

"Their entire job is to gather intelligence, so the CIA has a lot of information that they can gather from vehicles...That doesn't necessarily mean they're going to take some kind of malicious physical action," he said.

While remote physical manipulations of a car systems are possible, researchers have drawn distinctions between these attacks and perhaps more plausible ones.

"Generally speaking, there is a very low probability of remotely controlling every connected vehicle on the road, simply due to the diversity of systems used," Sam Lauzon, a researcher and developer at the University of Michigan's Transportation Research Institute, said in an email. "However, GPS/location data, mobile-phone-related data and other personal information associated with infotainment systems equipped in these 'connected' vehicles is a much easier target and is generally considered to be more 'at risk.'"

Though security concerns have gotten more attention, the extent of how much information is available in a connected car can still take consumers by surprise, said Joel Reidenberg, a law professor at Fordham University who studies privacy issues.

After a recent car purchase, he received an email from a subscription that came bundled with the car telling him his car was running fine and offering details about its usage, for instance.

"I had no idea that the system was constantly monitoring the use of the car," Reidenberg said in an interview. "There are some benefits to it, but there are also huge privacy issues: who has that data, who gets access to that data, does it get shared with my insurance company?"

At a press conference March 9, WikiLeaks founder Julian Assange pledged to work with technology companies to fix the vulnerabilities described in the documents, which include disclosures about an effort to hack Samsung smart TVs. He also said he would provide technology companies such as Apple Inc., Samsung Electronics Co Ltd and Alphabet Inc. with more details initially, then disclose them more publicly "once this material is effectively disarmed."

But Bailey said companies are unlikely to respond directly to government hacking as they make security updates.

"It's not gonna be, 'Hey, I've got to go out and combat the CIA and the NSA, that's not a realistic change," he said. "But I think people are saying 'There are things that we can do now versus a couple of years ago that are more cost-effective, more practical' ... They're looking for those solutions because they don't want to be the next target on the news where somebody is saying 'Oh, look, so and so's technology is being used by the CIA or the FBI to hack consumers.'"

"Even if it's not true," he said, "nobody wants that press."