Alternatively, hackers may deliver malicious input by encoding it into a CD or a song file, which may "live" on an iPod or other MP3 player, or by installing software that attacks the car's media system when it connects to the Internet.
Currently, the Internet is only a hypothetical vulnerability, however, says Roesner. "In the case of the car that we examined, we used the malicious file on a CD to exploit a vulnerability in the radio."
"In our research, we showed that attackers with access to the car's network can completely control most of the car's computerized components," she says. This could allow an attacker to sabotage an automobile -- disable the brakes or lights, for instance. "But we also showed that attackers could use such exploits to perform espionage," Roesner explains. Examples include the ability to extract potentially sensitive GPS data from a system and send it outside of the vehicle to an attacker. Also, a car could be stolen if the hacker can override the car's computerized theft detection/prevention system.
Automobiles most at risk include those with more components under computer control and without manual overrides, and those that are more connected to the outside world via the Internet or wirelessly, says Roesner.
Law enforcement fleet concerns
A security attack on a law enforcement fleet, in particular, may risk the lives of police officers as well as the general public. This issue raises concern at the Arizona Department of Public Safety, which in June fell victim to hackers who downloaded and released hundreds of law enforcement files on the Internet to protest a newly passed law they perceived as racist.
Hackers infiltrated accounts of Arizona law enforcement personnel and email accounts of the Arizona Legislature in a separate attack, posting items such as credit card information, photos, emails and documents including a master list of passwords and names and addresses of other police officers throughout the state of Arizona, according to Stacey Dillon, president of Public Safety Authority Media.
Extrapolating from there, she says, "If the hackers had accessed our fleets by, say hijacking our GPS system, it could present a lot of officer safety issues." In that scenario, police couldn't send backup units to the correct location if the GPS were compromised.
One safety check already in place: If a patrol car is idle or is stopped for 45 minutes to an hour, "an automatic signal is sent to our dispatchers and they're told to check on it," says Dillon.