"There's no culture of security," said Chris Valasek, director of vehicle security research at the computer security consulting firm IOActive, in a keynote speech at the SecTor IT security conference in Toronto this week.
That's a concern, he said, because of the potential damage that can be caused by a remotely hijacked car.
"Unlike regular PCs, if your car is breached, there’s a chance for physical loss and not just financial loss," he said. "Smashing your car into a pole or braking and starting a traffic jam are things that aren't easily fixed."
In recent years, security researchers at the University of Washington showed they could hack a car and start it either via the systems used for emissions testing or remotely using things like Bluetooth wireless connectivity or cellular radio to start the car.
Others showed they could hack a car remotely via a cellular-based car alarm system to unlock the doors and start the engine.
Valasek himself and his research partner Charlie Miller, a security engineer at Twitter, have been starting to experiment with remote attacks after demonstrating that a laptop inside the car can be used to disable brakes and power steering and confuse GPS and speedometers.
He said that while there have been no attacks on the public so far, he expects that to change as the growing popularity of high-tech features in cars drastically increase the number of potential targets available to would-be car hackers.
"Technology is driving auto sales," he said, pointing out that GM commercials in the U.S. tout their cars' WiFi capabilities.
Just Thursday, Ford announced new technology available starting 2015 that will detect pedestrians using radar and camera technology and automatically apply the brakes.
Already, automatic braking systems and adaptive cruise control that speeds up or slows down the car in response to the car in front of you are installed in "way more cars than you think," Valasek said in an interview following his talk.
He suggests that it's not too early for national leaders and others who might face targeted attacks to think about the security risks of their car's technological features.
"The average consumer doesn't have much to worry about, but… as these become more and more ubiquitous within all vehicles, we do potentially see public attacks."
Insecure technology built into cars, required by law
In his talk, Valasek showed how the design of in-car networks makes them vulnerable to hacking. The communication between software and braking and steering systems is designed so that if the system receives a message that it understands, telling it to apply the brakes, for example, it will comply.
"It doesn't ask where it came from and doesn't ask who sent it."
Researchers have shown that such messages can be sent via other systems in the car that don't directly control the car, such as its Bluetooth connections, remote keyless entry or infotainment systems. Those could, in turn, be used to indirectly hijack the car's control systems.
The challenge is that the insecure messaging systems found in cars are generally standardized and required by law for purposes such as emissions testing, Valasek said.
Meanwhile, he added, car manufacturers generally say little about what they are doing to mitigate the risks of systems like that.
As far as he knows, they haven't developed any means to detect attacks.
Toyota has said it protects its cars with a firewall, but Valasek said similar simple solutions have proven ineffective at protecting PCs.
He's also concerned that car manufacturers lack a system for distributing security patches or upgrades to cars, other than sending customers a letter by mail and asking them to drive to a shop for service. He suggested that asking customers to do that "after a 10-hour work day and picking up the kids and walking the dog" isn't going to work.
Valasek likened car manufacturers to throwbacks from a previous era in information technology who haven't learned from the past mistakes of software makers.
"Right now," he said, "security seems like an afterthought." Part of that may be simply a lack of transparency and a reluctance of carmakers to talk about security, he acknowledged.
Things could be finally be changing, he added, noting that in September, GM appointed its first cybersecurity chief.
In the meantime, he said, car buyers shouldn't worry too much before choosing a car with automatic braking or other collision avoidance systems.
"The odds of these things saving your ass as opposed to being used against you in an attack are two separate ends. These things will definitely make you safer, not more safe."