Naked Security Naked Security

Help wanted: someone to hack cars for Canada defense research arm

If you're a hacker highly skilled at finding exploits in connected cars, here's a job for you - hacking cars for the Canadian military.

Car hacking

If you’re a hacker highly skilled at finding exploits in connected cars, here’s a job for you – hacking cars for the Canadian military.

There’s no shortage of opportunities for car hackers these days, as we’ve seen in recent months – some computerized cars and trucks are vulnerable and poorly defended against cyberattacks.

A notice published on the Canadian government’s procurement website says the car hacking research will be conducted on behalf of Defence Research and Development Canada (DRDC – which is akin to the US’s DARPA).

The successful bidder for the car hacking contract will be required to develop exploits and mitigation techniques for unspecified vehicles, focusing on intra-vehicle communications systems.

The job pays $205,000 (CAD), with additional work paying up to $620,000.

Recent revelations about cybersecurity deficiencies in automobiles have sent shockwaves through the automobile industry, which is working to get its own cybersecurity research center off the ground.

Security researchers Chris Valasek and Charlie Miller demonstrated how they could take over a 2014 Jeep Cherokee via a cellular connection, controlling the vehicle’s brakes, accelerator, steering and other functions remotely.

Valasek and Miller found a vulnerability in the Jeep’s connected entertainment system that allowed them to gain access to other systems – even though the entertainment system is supposed to be firewalled off from things like steering and accelerator.

Their exploit led to more than 1 million Fiat Chrysler vehicles being recalled for patching.

Other researchers have demonstrated how vulnerable cars can be to hacking via mobile apps like remote starters; and the US government and the state of Virginia recently sponsored research into cybersecurity for police cruisers.

Self-driving cars aren’t immune either, as a researcher proved by forcing an autonomous vehicle to suddenly stop when the car’s sensors were targeted with lasers.

Car makers General Motors and Tesla are launching formal bug bounty programs asking researchers to help plug security holes in their vehicles.

Meanwhile, the US Congress is looking at mandating cybersecurity standards for new cars and trucks.

As Canada’s procurement notice states, vehicles in recent years have a huge attack surface – up to 100 onboard computers running millions of lines of code.

As for why the Canadian military is looking into car hacking, the procurement notes that – unlike the usual attacks on computer systems that result in lost data and financial consequences – car hacking poses a physical threat to safety.

Valasek, who was recently hired to help develop safer driverless cars by Uber – tells the CBC that exploits developed by the Canadian military could be used for both defensive and offensive purposes.

 


Image of car on freeway courtesy of Shutterstock.com.