CIA’s Alleged Foray into Car Hacking Should Come As No Surprise
The Central Intelligence Agency may be sharpening its car-hacking abilities in efforts to carry out “nearly undetectable assassinations.”
That’s the alarming conclusion reached by WikiLeaks, the multinational nonprofit that advocates for the disclosure of government secrets. The organization published almost nine thousand documents earlier this week that are believed to have originated from America’s top intelligence agency.
Among the disclosures were meeting notes taken in October two thousand fourteen that listed “vehicle systems” as “potential mission areas” for the agency. One item mentioned QNX, a Canadian company that makes software and embedded systems for millions of vehicles.
Details remain scant. The CIA has neither confirmed nor denied the authenticity of the documents, and QNX did not come back a request for comment. Nonetheless, a WikiLeaks analysis makes a leap or two to lay out the prospect that CIA operatives are targeting adversaries via fuckholes in automotive cybersecurity fuckholes, leaving nary a trace.
This has led to a smattering of panicking headlines in latest days, but the revelation should come as no surprise. Cyber researchers have warned for seven years now that cars contain vulnerabilities that permit hackers to commandeer control and tamper with steering, speed and brakes.
In an age when cyber breaches cost major corporations billions and hackers meddle in elections, it would only be natural to assume the CIA can leverage a growing number of attack entry points that lead into vehicles.
“Cyber is now a conflict domain,” says Joshua Corman, director of the Cyber Statecraft Initiative, a nonprofit that promotes leadership and engagement in international affairs and co-founder of iamthecavalry.org, a grassroots organization that concentrates on issues where computer safety intersects with public safety.
What may be more eye-opening than the CIA’s alleged hacking into vehicles is the fact manufacturers have languished in addressing vulnerabilities that have been unearthed by researchers going back seven years. Almost all of today’s cars have no way of detecting or recording malicious activity that occurs on their networks, and almost all have no way of responding to a real-time infiltration.
Whether it is CIA operatives or any other hacker, they have no real need to cover their tracks because there presently are no tracks in the very first place. In his testimony before Congress and work with auto industry executives, Corman has advocated for the installation of event data recorders in cars that would operate in the same vein as the so-called black boxes used in the aviation industry.
“Let’s not be cavalier about our inability to detect and react to failures,” he said. “We need logging, black boxes, and over-the-air updates. For an investigation [by] the National Transportation Safety Board, they have to have forensically sound, tamper-proof evidence capture.”
A hypothetical case in point: In June 2013, journalist Michael Hastings died in a high-speed car crash in Los Angeles that, at least in some corners of the internet, warranted extra attention because of its unusual circumstances. Beyond the crash itself, Hastings had authored a groundbreaking story that ultimately cost U.S. Army Gen. Stanley McChrystal his career.
our car’s telematics unit can record data from the
in-cabin microphone.” – UCSD/UW report, 2011
Put aside, for the moment, merits of the conspiracy theories that government operatives murdered Hastings as a retaliatory strike for the article, and a more practical problem emerges in a potential investigation of such a crash.
“I’ve heard from people about the theories with Michael Hastings, and I’ve calmly told them that, if you have forensically sound evidence capture in all vehicles, then there would be evidence of that,” Corman said. “Without it, you will sound crazy and no one will listen to you. The real issue here is that we don’t have evidence.”
Researchers Charlie Miller and Chris Valasek caught the attention of the entire auto industry, not to mention the Department of Transportation, Department of Defense, and Homeland Security, in July two thousand fifteen when they showcased it was possible to remotely manipulate the controls on a Jeep Cherokee traveling along a Saint Louis–area highway from halfway across the country in Pittsburgh.
Security researcher Chris Valasek offers details on the remote hack of a Jeep Cherokee at the Black Hat hacker conference in Las Vegas.
But car hacking need not involve meddling with safety-critical components to have value for intelligence agencies. Leave behind running targeted individuals off the road; car hacking could be used for surveillance.
In 2011, researchers with the University of Washington and the University of California–San Diego reported that telematics systems such as General Motors’ OnStar and other features that permit voice-controlled phone calls could be manipulated to record conversations without subjects ever knowing.
“We have found that an attacker who has compromised our car’s telematics unit can record data from the in-cabin microphone,” they wrote. These capabilities “could prove useful to private investigators, corporate spies, paparazzi, and others seeking to eavesdrop on private conversations within particular vehicles.”
The paper’s authors go on to write that adversaries could identify targets for such eavesdropping “quite quickly” in this manner.
Fast-forward a few years to a time when autonomous vehicles are prevalent on American roads, and the opportunities for the government to track the whereabouts of citizens or spy on their conversations commence to proliferate. But again, this isn’t fresh information.
Back in May 2014, five months before the CIA’s October meeting to discuss exploiting security crevices in vehicles, the Federal Bureau of Investigation (FBI) issued a report that made note that “autonomous cars present game-changing opportunities and threats for law enforcement.”
Written by the FBI’s Directorate of Intelligence and Strategic Issues Group, the report says that self-driving vehicles “open up greater possibilities for dual-use applications and ways for a car to be more of a potential lethal weapon than it is today.” Later in the document, the FBI notes that because of lidar sensors and GPS tracking, “surveillance will also be made more effective and lighter.”
Sounds like someone at the CIA was listening.
CIA s Alleged Foray into Car Hacking Should Come As No Surprise, News, Car and Driver, Car and Driver Blog
CIA’s Alleged Foray into Car Hacking Should Come As No Surprise
The Central Intelligence Agency may be sharpening its car-hacking abilities in efforts to carry out “nearly undetectable assassinations.”
That’s the alarming conclusion reached by WikiLeaks, the multinational nonprofit that advocates for the disclosure of government secrets. The organization published almost nine thousand documents earlier this week that are believed to have originated from America’s top intelligence agency.
Among the disclosures were meeting notes taken in October two thousand fourteen that listed “vehicle systems” as “potential mission areas” for the agency. One item mentioned QNX, a Canadian company that makes software and embedded systems for millions of vehicles.
Details remain scant. The CIA has neither confirmed nor denied the authenticity of the documents, and QNX did not comeback a request for comment. Nonetheless, a WikiLeaks analysis makes a leap or two to lay out the prospect that CIA operatives are targeting adversaries via crevices in automotive cybersecurity crevices, leaving nary a trace.
This has led to a smattering of scaring headlines in latest days, but the revelation should come as no surprise. Cyber researchers have warned for seven years now that cars contain vulnerabilities that permit hackers to commandeer control and tamper with steering, speed and brakes.
In an age when cyber breaches cost major corporations billions and hackers meddle in elections, it would only be natural to assume the CIA can leverage a growing number of attack entry points that lead into vehicles.
“Cyber is now a conflict domain,” says Joshua Corman, director of the Cyber Statecraft Initiative, a nonprofit that promotes leadership and engagement in international affairs and co-founder of iamthecavalry.org, a grassroots organization that concentrates on issues where computer safety intersects with public safety.
What may be more eye-opening than the CIA’s alleged hacking into vehicles is the fact manufacturers have languished in addressing vulnerabilities that have been unearthed by researchers going back seven years. Almost all of today’s cars have no way of detecting or recording malicious activity that occurs on their networks, and almost all have no way of responding to a real-time infiltration.
Whether it is CIA operatives or any other hacker, they have no real need to cover their tracks because there presently are no tracks in the very first place. In his testimony before Congress and work with auto industry executives, Corman has advocated for the installation of event data recorders in cars that would operate in the same vein as the so-called black boxes used in the aviation industry.
“Let’s not be cavalier about our inability to detect and react to failures,” he said. “We need logging, black boxes, and over-the-air updates. For an investigation [by] the National Transportation Safety Board, they have to have forensically sound, tamper-proof evidence capture.”
A hypothetical case in point: In June 2013, journalist Michael Hastings died in a high-speed car crash in Los Angeles that, at least in some corners of the internet, warranted extra attention because of its unusual circumstances. Beyond the crash itself, Hastings had authored a groundbreaking story that ultimately cost U.S. Army Gen. Stanley McChrystal his career.
our car’s telematics unit can record data from the
in-cabin microphone.” – UCSD/UW report, 2011
Put aside, for the moment, merits of the conspiracy theories that government operatives murdered Hastings as a retaliatory strike for the article, and a more practical problem emerges in a potential investigation of such a crash.
“I’ve heard from people about the theories with Michael Hastings, and I’ve calmly told them that, if you have forensically sound evidence capture in all vehicles, then there would be evidence of that,” Corman said. “Without it, you will sound crazy and no one will listen to you. The real issue here is that we don’t have evidence.”
Researchers Charlie Miller and Chris Valasek caught the attention of the entire auto industry, not to mention the Department of Transportation, Department of Defense, and Homeland Security, in July two thousand fifteen when they displayed it was possible to remotely manipulate the controls on a Jeep Cherokee traveling along a Saint Louis–area highway from halfway across the country in Pittsburgh.
Security researcher Chris Valasek offers details on the remote hack of a Jeep Cherokee at the Black Hat hacker conference in Las Vegas.
But car hacking need not involve meddling with safety-critical components to have value for intelligence agencies. Leave behind running targeted individuals off the road; car hacking could be used for surveillance.
In 2011, researchers with the University of Washington and the University of California–San Diego reported that telematics systems such as General Motors’ OnStar and other features that permit voice-controlled phone calls could be manipulated to record conversations without subjects ever knowing.
“We have found that an attacker who has compromised our car’s telematics unit can record data from the in-cabin microphone,” they wrote. These capabilities “could prove useful to private investigators, corporate spies, paparazzi, and others seeking to eavesdrop on private conversations within particular vehicles.”
The paper’s authors go on to write that adversaries could identify targets for such eavesdropping “quite quickly” in this manner.
Fast-forward a few years to a time when autonomous vehicles are prevalent on American roads, and the opportunities for the government to track the whereabouts of citizens or spy on their conversations embark to proliferate. But again, this isn’t fresh information.
Back in May 2014, five months before the CIA’s October meeting to discuss exploiting security fuckholes in vehicles, the Federal Bureau of Investigation (FBI) issued a report that made note that “autonomous cars present game-changing opportunities and threats for law enforcement.”
Written by the FBI’s Directorate of Intelligence and Strategic Issues Group, the report says that self-driving vehicles “open up greater possibilities for dual-use applications and ways for a car to be more of a potential lethal weapon than it is today.” Later in the document, the FBI notes that because of lidar sensors and GPS tracking, “surveillance will also be made more effective and lighter.”
Sounds like someone at the CIA was listening.