[Paleopsych] NYT: Can a Virus Hitch a Ride in Your Car?

Premise Checker checker at panix.com
Thu Apr 14 19:07:35 UTC 2005

Can a Virus Hitch a Ride in Your Car?

    A VIRUS can wreak havoc on computer files, hard drives and networks,
    but its malicious effects tend to be measured in wasted time, lost
    sales and the occasional unfinished novel that evaporates into the
    digital ozone. But what if viruses, worms or other forms of malware
    penetrated the computers that control ever more crucial functions in
    the car?

    Could you find yourself at the wheel of two tons of rolling steel that
    has malevolent code coursing through its electronic veins?

    That frightening prospect has had Internet message boards buzzing this
    year, amid rumors that a virus had infected Lexus cars and S.U.V.'s.
    The virus supposedly entered the cars over the Bluetooth wireless link
    that lets drivers use their cellphones to carry on hands-free
    conversations through the cars' microphones and speakers.

    The prospect is not so implausible. A handful of real if fairly benign
    cellphone viruses have already been observed, in antivirus industry
    parlance, "in the wild."

    Still, a virus in a cellphone might muck up an address book or, at
    worst, quietly dial Vanuatu during peak hours. But malicious code in
    cars, which rely on computers for functions as benign as seat
    adjustment and as crucial as antiskid systems that seize control of
    the brakes and throttle to prevent a crash, could do far more harm.

    The Lexus tale, based on murky reporting and a speculative statement
    by Kaspersky Labs, a Moscow antivirus company, seems to have been
    unfounded. "Lexus and its parent companies, Toyota Motor Sales USA
    Inc. and Toyota Motor Corporation in Japan, have investigated this
    rumor," the carmaker said in a statement last month, "and have
    determined it to be without foundation."

    But the question lingers: Could a car be infected by a virus passed
    along from, say, your cellphone or hand-held computer? Or worse, by a
    hacker with a Bluetooth device within range of the car's antennas?

    The short answer is, not yet.

    "Right now this is a lot of hype rather than reality, the idea that
    cars could be turning against us," said Thilo Koslowski, a vice
    president and lead analyst for auto-based information and
    communication technologies at Gartner G2, a technology research firm.
    "We won't see John Carpenter's 'Christine' becoming a reality anytime

    But Mr. Koslowski and others are quick to point out that the elements
    for mischief are slowly falling into place:

    First, vehicles are increasingly controlled by electronics - to the
    point that even the simple mechanical link between the gas pedal and
    engine throttle is giving way to "drive by wire" systems.

    Second, more data is being exchanged with outside sources, including
    cellphones and real-time traffic reports.

    Finally, the interlinking of car electronics opens up the possibility
    that automotive worms could burrow into a memory storage area in ways
    that engineers never imagined.

    Since the early 1990's, the various computers that manage a car's
    engine, transmission, brakes, air bags and entertainment systems have
    been increasingly linked in networks much like the ones that offices
    use to let workers share printers, scanners and backup storage drives.
    Benefits of interconnecting the electronic devices include less wiring
    - a luxury car can contain miles of copper cables - and reduced
    weight, an important factor in improving performance and fuel economy.

    Less obvious are the advantages of having the components communicate:
    an antiskid system, designed to help keep a car from spinning out of
    control, links sensors in the steering, brakes and throttle, and can
    effectively seize control from the driver.

    Other systems in which computers essentially take over, if only for a
    second, include emergency-brake assist, which provides maximum braking
    force when sensors detect the need for a panic stop, and "active
    steering," a feature now exclusive to BMW in which computers can
    compensate for a driver's recklessness.

    The latest versions of in-car information systems, known as
    telematics, include the ability to diagnose vehicle maladies. General
    Motors' OnStar can forward readings from sensors throughout the car
    for troubleshooting, a process called remote diagnostics. (All G.M.
    cars will include OnStar by the end of 2007.)

    The data, read from the engine-control computer, is transmitted over
    the OnStar cellphone link. Several automakers have discussed plans to
    use this conduit to update a vehicle's software or even perform
    electronic repairs, though no automaker is currently doing this
    regularly. Microsoft has entered this business, too, having recently
    signed a deal to provide software for a telematics and diagnostics
    system to be installed in all Fiats, starting this year.

    By design, the various controls are not isolated from other in-car
    processors, since they need to share information to operate
    effectively and avoid the need for redundant sensors, wiring and
    microprocessors. Also, automakers have begun to share in-car
    processing power and memory capacity over the network, said Paul
    Hansen, the publisher of an industry newsletter, The Hansen Report on
    Automotive Electronics.

    In a car with a stand-alone cellphone installation there would be no
    pathway for pernicious computer code to enter the vital electronic
    systems. But as automakers work to take advantage of linked
    processors, ready exchanges of data - and malware - become possible.

    Possible does not, however, mean easy. Unlike the anonymous and remote
    world of PC viruses delivered over the Internet, a ne'er-do-well would
    need, in most cases, a few moments alone with a car to impregnate it
    with malware - for now.

    Marko Wolf, a research associate at Ruhr-Universität in Bochum,
    Germany, and co-author of a recent study of security in automotive
    networks, said a rogue mechanic with under-the-hood access could make
    short work of planting malicious code. And as internal networking
    reaches the exposed extremities of a car - its side mirrors, say, or
    its lights - the number of potential access points increases.

    "Cars have extended their bus wires and controllers even into their
    electronic mirrors" and to receivers for global-positioning signals,
    Mr. Wolf said, conjuring a "Mission: Impossible" plot: "One can easily
    hack into the internal communication system just by breaking away that
    outside part and connecting the bare bus wires with a P.D.A. or
    laptop." (A bus is essentially a collection of wires linking one part
    of a computer - or a car - to another.)

    Looking ahead, a proliferation of remote access points - OnStar-type
    services, for instance, or short-range Bluetooth connections - will
    raise the odds that virus writers will eventually try to beam a bug
    across the ether. Just as such services let the car send data to the
    outside world, malware writers could try to use those wireless
    conduits to send destructive payloads into cars.

    Systems like OnStar, known for providing emergency assistance or
    concierge services (its operators will make restaurant reservations
    for you), in fact hold deep conversations with the car's networks.
    Besides the ability to provide engine diagnostics and unlock the doors
    by remote to rescue forgotten keys, an advanced level of OnStar - now
    on about a dozen G.M. models - will report detailed data about a
    collision to emergency medical personnel.

    Navigation systems, which have used only a time signal from satellites
    to determine a car's location, are adding traffic information. The
    Acura RL is the first with this service; updates about congestion or
    construction delays are sent to the car and displayed on the
    navigation screen.

    Despite these potential pathways, creating a virus that would spread
    within the car would be no small feat. In the Windows-dominated PC
    universe, "the programmer only has to know the PC processor" to do
    damage, said Egil Juliussen of Telematics Research Group of
    Minnetonka, Minn., a firm that tracks the rise of in-car networking.

    "The auto is a very different environment," he said. "The infotainment
    system may have multiple processors and operating systems. The
    navigation system has one processor or operating system, the
    telematics system may have another one and the radio may have a third

    Getting a virus to propagate from one system to another would be akin
    to designing malware that could pass from a Windows environment to a
    Macintosh system and on to a Linux machine - infecting them all.

    "The point is that the virus writer needs to expand his knowledge by a
    factor of 10 or more over the PC world," Mr. Juliussen said. Even
    then, he said, with operating systems - particularly those that
    control crucial mechanical systems - remaining varied and proprietary,
    a successful virus could function in only a small fraction of cars.

    "It's feasible," Mr. Juliussen said, "just a lot harder."

    Whether virus writers can overcome the hurdles remains an open
    question, but evidence from the PC world suggests that as on-board
    networking becomes more widespread and standardized, they will
    certainly try. Early speculation, like the Lexus rumors, may help
    focus attention on the potential problem before car malware has a
    chance to flourish.

    "I am very happy to see as many rumors of that sort as believable as
    possible as soon as possible," said Peter B. Ladkin, a professor of
    computer networks and distributed systems at the University of
    Bielefeld in Germany. "Because it means that more automakers will pay
    attention to what they're doing."


    1. http://query.nytimes.com/search/query?ppds=bylL&v1=TOM%20ZELLER&fdq=19960101&td=sysdate&sort=newest&ac=TOM%20ZELLER&inline=nyt-per

More information about the paleopsych mailing list