CIA’s Alleged Foray into Car Hacking Should Come As No Surprise

Ceremonial Swearing-In Of Leon Panetta Is Held At CIA Headquarters

The Central Intelligence Agency may be sharpening its car-hacking skills in efforts to carry out “nearly undetectable assassinations.”

That’s the alarming conclusion reached by WikiLeaks, the multinational nonprofit that advocates for the disclosure of government secrets. The organization published nearly 9000 documents earlier this week that are believed to have originated from America’s top intelligence agency.

Among the disclosures were meeting notes taken in October 2014 that listed “vehicle systems” as “potential mission areas” for the agency. One item mentioned QNX, a Canadian company that makes software and embedded systems for millions of vehicles.

Details remain scant. The CIA has neither confirmed nor denied the authenticity of the documents, and QNX did not return a request for comment. Nonetheless, a WikiLeaks analysis makes a leap or two to lay out the prospect that CIA operatives are targeting adversaries via holes in automotive cybersecurity holes, leaving nary a trace.

“Let’s not be cavalier about our inability to detect and respond to failures.” – Joshua Corman, Atlantic Council

This has led to a smattering of frightening headlines in recent days, but the revelation should come as no surprise. Cyber researchers have warned for seven years now that cars contain vulnerabilities that allow hackers to commandeer control and tamper with steering, speed and brakes.

In an age when cyber breaches cost major corporations billions and hackers meddle in elections, it would only be natural to assume the CIA can leverage a growing number of attack entry points that lead into vehicles.

“Cyber is now a conflict domain,” says Joshua Corman, director of the Cyber Statecraft Initiative, a nonprofit that promotes leadership and engagement in international affairs and co-founder of iamthecavalry.org, a grassroots organization that focuses on issues where computer safety intersects with public safety.

What may be more eye-opening than the CIA’s alleged hacking into vehicles is the fact manufacturers have languished in addressing vulnerabilities that have been unearthed by researchers going back seven years. Almost all of today’s cars have no way of detecting or recording malicious activity that occurs on their networks, and almost all have no way of responding to a real-time infiltration.

Hacker 090501SR. Consultant, Information Risk Management, Ben Sapiro, KPMG white hat hacker shows ho

Whether it is CIA operatives or any other hacker, they have no real need to cover their tracks because there currently are no tracks in the first place. In his testimony before Congress and work with auto industry executives, Corman has advocated for the installation of event data recorders in cars that would operate in the same vein as the so-called black boxes used in the aviation industry.

“Let’s not be cavalier about our inability to detect and respond to failures,” he said. “We need logging, black boxes, and over-the-air updates. For an investigation [by] the National Transportation Safety Board, they have to have forensically sound, tamper-proof evidence capture.”

A hypothetical case in point: In June 2013, journalist Michael Hastings died in a high-speed car crash in Los Angeles that, at least in some corners of the internet, warranted additional attention because of its unusual circumstances. Beyond the crash itself, Hastings had authored a groundbreaking story that ultimately cost U.S. Army Gen. Stanley McChrystal his career.

“We have found that an attacker who has compromised
-our car’s telematics unit can record data from the
-in-cabin microphone.” – UCSD/UW report, 2011

Put aside, for the moment, merits of the conspiracy theories that government operatives murdered Hastings as a retaliatory strike for the article, and a more practical problem emerges in a potential investigation of such a crash.

“I’ve heard from people about the theories with Michael Hastings, and I’ve calmly told them that, if you have forensically sound evidence capture in all vehicles, then there would be evidence of that,” Corman said. “Without it, you will sound crazy and no one will listen to you. The real issue here is that we don’t have evidence.”

Researchers Charlie Miller and Chris Valasek caught the attention of the entire auto industry, not to mention the Department of Transportation, Department of Defense, and Homeland Security, in July 2015 when they showed it was possible to remotely manipulate the controls on a Jeep Cherokee traveling along a Saint Louis–area highway from halfway across the country in Pittsburgh.

Security researcher Chris Valasek offers details on the remote hack of a Jeep Cherokee at the Black Hat conference in Las Vegas.

Security researcher Chris Valasek offers details on the remote hack of a Jeep Cherokee at the Black Hat hacker conference in Las Vegas.

But car hacking need not involve meddling with safety-critical components to have value for intelligence agencies. Forget running targeted individuals off the road; car hacking could be used for surveillance.

In 2011, researchers with the University of Washington and the University of California–San Diego reported that telematics systems such as General Motors’ OnStar and other features that permit voice-controlled phone calls could be manipulated to record conversations without subjects ever knowing.

“We have found that an attacker who has compromised our car’s telematics unit can record data from the in-cabin microphone,” they wrote. These capabilities “could prove useful to private investigators, corporate spies, paparazzi, and others seeking to eavesdrop on private conversations within particular vehicles.”

FRANCE-ENVIRONMENT-TRANSPORT-POLLUTION

The paper’s authors go on to write that adversaries could identify targets for such eavesdropping “quite quickly” in this manner.

Fast-forward a few years to a time when autonomous vehicles are prevalent on American roads, and the opportunities for the government to track the whereabouts of citizens or spy on their conversations start to proliferate. But again, this isn’t new information.

  • Ransomware: The Next Big Auto Cybersecurity Threat?
  • How the Connected Car Will Defend against Hackers
  • Bipartisan SPY Act Pushes NHTSA on Cyberthreats

Back in May 2014, five months before the CIA’s October meeting to discuss exploiting security holes in vehicles, the Federal Bureau of Investigation (FBI) issued a report that made note that “autonomous cars present game-changing opportunities and threats for law enforcement.”

Written by the FBI’s Directorate of Intelligence and Strategic Issues Group, the report says that self-driving vehicles “open up greater possibilities for dual-use applications and ways for a car to be more of a potential lethal weapon than it is today.” Later in the document, the FBI notes that because of lidar sensors and GPS tracking, “surveillance will also be made more effective and easier.”

Sounds like someone at the CIA was listening.

Pete Bigelow is the Transportation Technology And Mobility Editor at Car and Driver. He can be reached via email at pbigelow@hearst.com and followed on Twitter @PeterCBigelow.


Car and Driver BlogCar and Driver Blog