IBM Addresses the Security of Network-Connected Cars

connected car security

Cars no longer consist of just motors, four tires and radios—they’re rolling computers. Most new vehicles come with some 100 distributed computer systems and 100 million lines of code. This is great for drivers, providing them with enhanced reliability, safety, entertainment and communications. It can also—unfortunately—be an opportunity for hackers who want to take over the operations of a vehicle, whether it’s slamming on the brakes, cranking a steering wheel or killing an engine.

Original equipment manufacturers (OEMs) are aware of the potential for such malware car hijackings, but their business is building cars and satisfying customers—not, understandably, IT. That’s why researchers—like Dr. Yair Allouche, senior security researcher at IBM’s Cybersecurity Center of Excellence in Beer Sheva, Israel—have taken up the cause of ensuring network-connected cars are as secure as they can be. Security, he explains, is becoming just as essential to cars as air bags.

Q. What are connected cars, and what benefits do they offer?
Connected cars connect to the Internet via a wireless network. Many applications can rely on a connected car, such as remote access to the vehicle. Another example is remote diagnostics, which allows OEMs to collect data from the vehicle to see if something is wrong. They can then send you an alert if there’s a problem or tell you in advance about any malfunctioning components.

Another promising and interesting application is usage-based insurance, which will allow you to pay insurance based on the way you drive. Vehicles are also great sensors for traffic systems and real-time traffic conditions. The problem is that if you want to rely on that type of application, the data you’re collecting must be reliable.

Q. What are some security threats?
Vehicles are controlled by 70 to 100 small computers called electronic control units (ECUs). They’re connected via several internal networks, of which the most important is the Controller Area Network (CAN) bus, designed specifically for safety, not security. As a result, the protocol in this bus is not secure. If a computer wants to write a message on this bus, it doesn’t have to authenticate itself, as it’s based on the assumption that only authorized computers have access. No security mechanisms exist to protect the computer from incorrect or malicious data circulating on the bus.

Let’s assume you get control over one of the computers connected to the bus. This is game over. Once you get access, you can write everything to the bus. All of the other computers assume this is real, authenticated data, and they will treat it as such. Once you get access, you can impersonate any other ECU and send a command to brake, start the wipers and so on.

Q. How would someone gain access to this bus?
One way is physically. Vehicles manufactured after 1996 have an on-board diagnostics (OBD) II port to allow for diagnostics that can, for instance, make sure the vehicle isn’t emitting too much carbon dioxide. If you get access to this, you can send messages on the CAN bus and gain control over some critical functionality of the vehicle. I could also go to the garage and try to infect the laptop of the mechanic. If I can access the laptop, I may get access to an ECU within the vehicle when it’s connected to the infected laptop, and thereby gain access to the bus.

Jim Utsler, IBM Systems Magazine senior writer, has been covering the technology field for more than a decade. Jim can be reached at

Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.

comments powered by Disqus



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Safely Concealed

IBM Identity Mixer is poised to change how Web users reveal personal data

Ups and Downs

IBM and Stanford University push spintronics to smaller levels

Computing in 3-D

Chips could gain depth to keep delivering on Moore’s Law

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
Mainframe News Sign Up Today! Past News Letters