We have been talking about hacking cars on this blog since 2011 (see posts) so the idea of thieves stealing a car by hacking their way into its computer system is no big surprise. This is the reality of cybersecurity in the era of the Internet of Things (IoT), and cars are just one more IoT device. But 100 cars? How did they pull that off? Continue reading “Cybersecurity and #IoT – Hackers Steal Over 100 Cars With a Laptop”
Hackers can take over cars by hacking into their on board computer systems. Does it not stand to reason that they could do the same thing to an airplane? Maybe, maybe not, but a recent ruling by the FAA shows this was a concern for Boeing Model 777-200.
May 18, 2015 Update: This post was first published on March 14, 2014. Just over a year later, on May 17, 2015, there are several news reports out about a hacker (i.e., “security researcher”) who claimed to have briefly commandeered a commercial airliner through its in-flight entertainment system. See Feds Say That Banned Researcher Commandeered a Plane
Over the last few years I have written several posts about whether hackers could take over the controls of cars by hacking them (here) and whether doing so would violate the Computer Fraud and Abuse Act. From the time of my first post on this subject in 2011 until now, this discussion has moved from the theoretical, of whether it was possible, to the certain. It is possible and this video shows how hackers do this to cars.
Now, with the search for answers to how the Malaysian Flight 370 jetliner — a huge Boeing 777-200 airplane — just disappeared without a trace, some are starting to question whether that jetliner could have been hacked. That is, whether it may have been taken over by hacking into its computer system, turning off its tracking devices, and diverting it to a secret location. Who knows, right?
I certainly do not profess to have any specialized knowledge about whether this is possible other than basic common sense that tells me if it can happen to a car, it can happen to an airplane.
One security researcher has purportedly demonstrated that it is possible to take control of an airplane’s navigation and cockpit systems with an Android smartphone app (Researcher takes controls of aircraft system with Android phone) but the FAA explained why the researcher’s test would not allow him to actually take over the controls of a real airplane as the researcher was using a simulator ( FAA: ‘No, you CAN’T hijack a plane with an Android app’ ).
Regardless, another very important piece of information has come to light. On November 18, 2013, the Federal Aviation Administration issued a ruling that addressed concerns it had about the Boeing Model 777-200’s computer system being vulnerable to unauthorized internal access: Special Conditions: Boeing Model 777-200, -300, and -300ER Series Airplanes; Aircraft Electronic System Security Protection From Unauthorized Internal Access The FAA’s Ruling contained the following discussion:
The integrated network configurations in the Boeing Model 777-200, -300, and -300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models. This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane. . . . [T]hese special conditions are being issued to ensure that the security (i.e., confidentiality, integrity, and availability) of airplane systems is not compromised by unauthorized wired or wireless electronic connections between the airplane information services domain, aircraft control domain, and the passenger entertainment services.
Did the FAA’s special conditions issued in the Ruling alleviate this concern and adequately protect against the risk? We may never know. But, what we do know, is that this was a concern …
About the author
Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.
What do connected cars and toilets have in common? That is the title to a recent Blog Post about an upcoming presentation at VMWorld 2013, Barcelona and, when I read it, I just had to quiz my readers to see who remembered …
Come on now, you do know the answer to this question, right? I have blogged about hacking cars several times and, if you heard my presentation to the Privacy, Data Security, and eCommerce Committee of the State Bar of Texas back in August then you certainly should remember. [Presentation / hint: see slides 26 & 27 below] Do you remember now?
That is right, we are starting to see both “wired” cars and toilets that (a) have microprocessors and/or store data, and (b) are connected to the Internet, which means (c) under the Computer Fraud and Abuse Act they are considered to be “protected computers” and, (d) therefore, if wrongfully accessed (through the system, not physically) are covered by the CFAA. There you go – have a great day!
A couple of years ago I blogged about (what was then) the hypothetical question of whether hacking a car would violate the Computer Fraud and Abuse Act. Since that time we have seen the idea of hacking a car become a reality. I have written updated blog posts in shared a video showing how hackers are doing this. Here is another article that takes it a step further: AP News: Hackers find weaknesses in car computer systems.
It is really quite simple: Modern cars are controlled by computers — everything, from the accelerator to the brakes to the steering to the windows to the locks — take over the computer, you take complete control over the car.
The idea of hacking a car is no longer fantasy. It is real. It can be very deadly.
Way back in 2011, I wrote a couple of posts about whether hacking a car would violate the Computer Fraud and Abuse Act. I really was being a bit silly when I first thought of this as I was just looking for a creative way to make a point. At first I did not really think that hacking a car was possible. I now know that it certainly is. And yes, I believe that hacking a car would violate the CFAA.
In the August 12, 2013 issue of Forbes, hackers not only explain how to hack a car, but show you what happens in a video. You really need to watch the video in this article: Hackers Reveal Nasty New Car Attacks–With Me Behind The Wheel (Video)
A few weeks ago I blogged about whether an unauthorized access of a car that has a computer and is connected to the Internet would violate the Computer Fraud and Abuse Act. Did you read it? Or, did you think it sounded too ridiculous?
Here it is if you want to take a look: Can stealing a CAR violate the Computer Fraud and Abuse Act?
Now go read this article written by Theresa Payton of Fortalice, LLC: Car Hack Attack The article was based on a television segment by Kristin Miranda of WBTV entitled Protecting Your Cyberturf. Care to guess the subject?
Hacking the computer of cars through malware embedded music downloads that then enable the hackers to open the doors, start the engine, and steal the car. Go read the article and see for yourself.
Now think about the question I asked a few weeks ago: do you think stealing a car can violate the Computer Fraud and Abuse Act?
- Can stealing a CAR violate the Computer Fraud and Abuse Act? (shawnetuma.com)
- Is a $5k loss required for each defendant under Computer Fraud and Abuse Act? (shawnetuma.com)
- Can you get your attorneys’ fees under the Computer Fraud and Abuse Act? (shawnetuma.com)
- Minimizing the risk of employee data breach and privacy mischief in the cloud (shawnetuma.com)
- “What Does CFAA Mean and Why Should I Care?” – A Primer on the Computer Fraud and Abuse Act for Civil Litigators (shawnetuma.com)
Ford wants its cars connected to the Internet. By now we all know from my previous post on United States v. Kramer that the Computer Fraud and Abuse Act applies to anything with a microchip or data processor that is connected to the Internet.
So, the question I have is, if someone steals one of these cars by “hacking” into the electronics system without, or exceeding, authorized access, will that be a violation of the Computer Fraud and Abuse Act?
What do you you think?
Here is the article that prompted this question: Ford Wants Help In Merging Cars With Web – Venture Capital Dispatch – WSJ.