A new study shows automotive software is as  vulnerable to malicious hackers as the average PC. The report entitled,  
        "Experimental Security Analysis of a Modern Automobile,"
       was presented  in May at the 2010 IEEE Symposium on Security and Privacy by a team from  the University of Washington and the University of California, San  Diego.
The research paper demonstrated how a  sophisticated hacker could wreak havoc on a vehicle by manipulating the  in-vehicle computer network or remotely accessing it via its wireless  connectivity to the Web. The 11-person research team pointed out all new  cars are "pervasively computerized" and control a wide array of  components, including the engine, brakes, heating and cooling, lights,  instrument panel, radio, and locks.
The researchers tested two 2009-model-year  cars, whose make and model were not identified. They were able to  connect a laptop to a standard onboard diagnostic computer port, which  allowed them to control the car's computer wirelessly using a second  laptop in a separate car. The team didn't identify the test cars because  they did not want to single out a particular automaker.
However, both  vehicles had the controller area network (CAN) system, required as a  diagnostic tool on all U.S. cars built since 2008. The team wrote a  software utility program allowing them to listen to CAN traffic and  insert their own network instructions. The paper demonstrated the ease  in which a sophisticated attacker could control a wide range of  automotive functions and completely bypass driver input.
For example, by  accessing the various electronic control modules (ECM) or engine  control module, the researchers were able to manipulate the fuel level  gauge, falsify the speedometer reading, display arbitrary dashboard  messages, dial-up the heat or A/C, lock passengers in the car,  continuously blare the horn, pop the trunk, turn off the lights,  activate the windshield wipers, disable the brakes, selectively brake  individual wheels on demand, and stop the engine. In addition, after  deploying these malicious software commands, the team successfully  erased any evidence of their tampering.
The research paper suggests two attack  scenarios. Either by physical access gained by a mechanic, or even a  spiteful significant other, who wishes to monitor and manipulate  the vehicle's controls remotely over the Internet. Or, in the second  attack scenario, someone hacking into one of the wireless networks found  inside a vehicle.
I would like to postulate another possible attack  scenarios by a disgruntled computer-savvy employee, out to extract  revenge on the company for a perceived wrong. Another possible attack  could be directed at company officers by maliciously hacking into their  executive fleet vehicles.
If you consider this far-fetched, consider  the implications of what happened recently in Austin, Texas. Last  February, more than 100 drivers in Austin had their vehicles immobilized  or their horns blared uncontrollably after a disgruntled employee at a  dealership hacked a system used to warn customers when they are behind  on their auto repayment plans.
The PCs in the early 1990s had latent  software vulnerabilities. This wasn't an issue at the time because PCs  did not have connectivity to other computers, outside of a local area  network. However, when they became connected to the Internet, these  latent vulnerabilities were exposed to outside attack.
Vehicle  technology is moving in the same direction, with a strong trend to  provide Internet connectivity. Cars were strictly mechanical devices,  but now we're seeing more and more electronics and connectivity, which  means increased potential risk.
The researchers wanted to point out the  potential security risks if someone gained access to a vehicle's  internal computer network. They did not want to take an alarmist tone,  but simply show that it is possible. In the end, the software in a fleet  vehicle is not fundamentally different from software on a PC, it's all  binary code.
The researchers advocate "hardening" these onboard systems  and providing malware defenses before car hacking becomes a real  problem. It's important to stress that no remote car hacking attacks  have ever been recorded, and experiments designed to load malware into  car systems using Bluetooth have been unsuccessful.
Hacking a car isn't easy. A would-be  criminal would need advanced computer skills and access to the vehicle's  on-board electronic and engine control modules to launch an attack.  Fleet managers shouldn't be worried, at least not for now. However, in  five to 10 years from now, all bets are off.
Mike Antich is the editor and associate publisher of 
        Automotive Fleet
       magazine and four other fleet-related publications of Bobit Business Media.