City

Hackers could sow chaos by shutting down connected cars, researchers say

A new study led by a Georgia Tech professor imagines a nightmare scenario in which hackers control enough internet-connected vehicles to shut down an entire city.

By Benjamin Freed

August 1, 2019

Getty Images

Imagine driving through downtown at rush hour and encountering a wall of stalled traffic on the main thoroughfare. But side streets offer no refuge — they’re clogged up too. Eventually, it turns out, this epic traffic jam isn’t the result of some nasty accident. Rather, 20 percent of cars in the vicinity have been turned off thanks to the work of an aggressive hacker exploiting vulnerabilities in the vehicles’ onboard, internet-connected computers.

The scenario may not be that far-fetched. According to a new paper by physicists at the Georgia Institute of Technology and Multiscale Systems, an advanced materials firm, a motivated hacker could create chaos and crippling gridlock on city streets by gaining access to late-model cars’ computer systems and shutting them down at random.

The study, “Cyber-physical risks of hacked Internet-connected vehicles,” appears in a new edition of the journal Physical Review E. The paper’s lead author, Peter Yunker, an assistant professor of physics at Georgia Tech, told StateScoop his analysis was inspired in part by previous warnings from cybersecurity experts that connected vehicles are potentially ripe targets for hackers looking to create mayhem on city streets.

“We’re not opposed at all to connected vehicles,” Yunker said. “We’re just raising concerns when planning for the future and opening our cities to new technologies.”

There are about 49 million internet-connected cars in the United States today, with millions more being added to the streets every year. New-model vehicles include a variety of safety and navigation features that use an internet connection, such as sensors for assisted parking and GPS-guided navigation. Cybersecurity researchers have warned previously that a hacker who gains access to one of those systems could compromise the rest of the car, including running or shutting off the engine.

Computer systems in new cars run on more than 150 million lines of code on average, according to a 2018 KPMG report. And as autonomous-driving systems — which require even more programming — evolve, hackers could gain even more openings to take over vehicles, researchers at the University of Michigan wrote.

Yunker’s paper imagines a situation in which 20 percent of internet-connected vehicles in Manhattan are taken over and shut down. At 3 a.m., such an operation would affect about 2,500 cars, leaving one car stranded every kilometer and creating scattered traffic jams across the borough. But a similarly scaled attack at rush hour would leave 50,000 vehicles frozen in place, causing citywide disturbances that would make it impossible to move anywhere.

The upshot, Yunker said, would be a fast breakdown in city operations.

“You couldn’t get from one part of the city to another,” he said. “Obviously this would be very frustrating in a commute, but even worse if you think about [first] responders trying to get to a hospital or a fire.”

An imagined mass hacking effort against a fleet of connected vehicles has already played out in pop culture. During a pivotal scene in the 2017 film “The Fate of the Furious,” a villain played by Charlize Theron remotely commandeers dozens of cars in order to snarl up traffic so she can steal nuclear codes from a government official traveling through New York City.

The movie takes several creative liberties, of course, such as cars of many different makes and models all appearing to share a common operating system, but Yunker said the scene can be seen as complementary to his research.

“It’s definitely faster and more furious,” he said. “Kind of along the lines of our discussion, if someone takes over a car and controls it, there’s a lot of damage they can do.”

Yunker said his team’s research was more inspired by a 2015 Wired article in which two white-hat hackers took over a Jeep Cherokee the author was driving at 70 miles per hour and brought it to a halt.

“We went through a lot of approaches that cybersecurity folks are proposing,” Yunker said. “One of them is that if a car detects it’s been hacked, it’s no longer safe and shuts itself down. Hopefully the dramatic action of ‘The Fast and the Furious’ would be a compete fantasy and the cars become 3,000 pound bricks.”

Yunker also acknowledged that a situation in which 20 percent of connected vehicles in a certain vicinity were hacked is extreme. The study draws on percolation theory, which is used in materials science to statistically model the conditions under which a material or property can spread through a substance or across a surface. In this case, Yunker and his colleagues concluded that it would take 20 percent of cars being compromised to create a citywide traffic shutdown.

But Yunker cautioned that even discounting the number of cars that could be hacked at any single moment, city officials celebrating the emergence of connected and autonomous vehicles need to be aware of the cars’ potential vulnerabilities.

“A hacker could cause an accident, a hacker could fool the sensors on the car to think there is stopped object, which would cause it to come to a stop,” he said. “We’re not in a case of waiting for connected and autonomous vehicles to be on the road. As soon as we open our cars to internet connections, these dangers start to exist.”