Security experts shrug off CIA memo that mentioned Canada's BlackBerry QNX

'No magic techniques they have that nobody knows about,' expert says of CIA

UPDATED: 3/15/17 10:41 am ET - corrected

Editor's note: Bryson Bort's name was misspelled in an earlier version of this story.

A memo dated Oct. 23, 2014, became unexpectedly newsworthy last week. The memo runs through a list of topics discussed at a planning meeting, talks about whether the group needs a branding strategy or a "flagship product" and ends with a reminder to everyone involved that teamwork is dream work.

Pretty banal, office-life stuff.

Except the memo is part of a WikiLeaks dump of internal CIA documents. And two of the bullet items, with a total of 15 words, indicate the CIA was considering exploring how to hack into cars remotely. It specifically mentions software developed by Canada's BlackBerry QNX.

The revelation resulted in a lot of panicky headlines, but security experts have shrugged it off.

"None of it's that surprising," said Stefan Savage, a computer science professor at the University of California, San Diego. "It's their job. Their job is to spy on people."

Some have interpreted the memo to mean the CIA already can and does hack into cars. A few conspiracy theorists have made the leap from this memo to the puzzling death in a car crash of journalist Michael Hastings in 2013, which came shortly after he told friends he was working on a big investigative government story and that he needed to go underground for a while.

While these conclusions may be wildly off base, cybersecurity analysts are kind of enjoying the attention. For them, it promises to bring awareness to a security issue they believe has been under the radar for too long, despite years of high-profile hacking incidents across a variety of industries.

"Then this comes along and becomes a real issue," said Ariel Sobelman, president of HDBaseT Alliance, a group working toward standardizing in-car connections and security.

Spying TVs

The car-hacking revelation came in the same WikiLeaks dump of 8,671 documents that revealed the CIA can hack into Samsung TVs and listen in and watch people in their homes.

But the Samsung information is much more detailed. It has step-by-step instructions on how to make a Wi-Fi system seem off when it is not and how to remotely check the time on a TV. It spells out the CIA's capabilities enough to raise eyebrows.

"Samsung TVs we can talk all day," said Savage, who is also principal investigator at the Center for Automotive Embedded Systems Security. For cars, there are just two bullet points in the memo. "It's very hard to reach any conclusion about any capabilities that they may have," he said.

Savage has been at the center of the auto industry's cybersecurity research since he co-authored a 2010 paper raising the specter of vehicles being compromised. He was underwhelmed with the WikiLeaks document dump's connection to cars.

To a certain extent, Savage said, the WikiLeaks papers give some insight into what the CIA knows: very little. "There's no magic techniques they have that nobody knows about," he said. "That was my big takeaway: There is no secret sauce."

The memo mentioned QNX, which is the BlackBerry-owned operating system that runs on roughly half of the in-car infotainment systems in vehicles today. But WikiLeaks did not provide any other documentation that the CIA had found a way in to car operating systems through QNX.

That's not to say it may not have found an opening. Charlie Miller, autonomous security transportation lead at Didi Chuxing, was one of the first cybersecurity experts to bring attention to the idea that cars could be hacked remotely. In 2015, Miller and his partner, Chris Valasek, hacked into a Jeep Cherokee with a Wired reporter at the wheel. The experiment resulted in a recall of 1.4 million Cherokees to patch a hole in the car's software.

"It took Chris and I about two years to go from start to finish, but we were just two guys working in their spare time," Miller told Automotive News last week. "A well-funded organization could accomplish the feat much quicker."

So it is possible the CIA could take over your car while you're driving. But it's also likely a bored teenager with a good Internet connection could find his or her way into it.

"Whether it's the Russian mafia or a guy hacking from his garage, it's more about entry points than it is about who is behind" the hacks, said Steve Crumb, executive director of Genivi Alliance, a collection of carmakers and suppliers working to develop standards for smartphone-to-car connections.

What hackers want

The spy-movie idea that a government agency could launch a coordinated cyberattack through cars has captured the public's imagination and concern since car cybersecurity emerged as an issue over the past five years. While Hollywood-like scenarios are possible in the realm of auto cybersecurity, they're not likely.

"That's not the primary threat," said Bryson Bort, CEO of cybersecurity firm Grimm. "It's organized crime, hack-tivists."

If anything, government hackers want information, Bort said. They want the data around where the car has been, where it's going. Intelligence agencies might want to listen in on conversations inside the car.

Bort took particular umbrage at a WikiLeaks press release that tied car hacking to "undetectable assassination." That line resurrected conspiracy theories surrounding the death of Hastings, the 33-year-old journalist who died in July 2013 after his Mercedes C250 crashed into a tree and burst into flames.

Hastings was a freelance journalist who had written a profile about U.S. Army Gen. Stanley McChrystal, who was fired after the piece was published over comments he made critical of the Obama administration.

Earlier the day of the crash, Hastings told a friend that he was on to a big story and needed to go off the grid for a while. Hours later, he was dead.

Police investigated the crash and determined it was an accident. Friends of Hastings have said he had a substance abuse problem and may have been dealing with some personal problems.

But the accident almost immediately became fodder for conspiracy theorists who wondered whether the government had found a way to get a pesky journalist out of the way.

Car security experts say forcing a car to crash would be an ineffective way to try to assassinate someone.

"Vehicles are well-equipped to handle being in an accident," said Craig Smith, research director for transportation security at Rapid7, a security consulting firm. "With today's modern vehicle safety devices, it would be very challenging to kill an occupant in a car accident."

And self-driving cars -- which rely on multiple sensors before making a decision -- will be harder to hack.

"Self-driving vehicles use multiple types of sensors to make a decision just like humans use multiple senses," Smith said. "As an attacker, it's easier to trick one sensor than many different types of sensors."

But even if cars are safe and an ineffective assassination tool, like the old saying goes, just because you're paranoid doesn't mean they're not out to get you.

"The only people who should be concerned are people the CIA plan to assassinate," said Miller. "And if the CIA is planning to assassinate you, car hacking is the least of your concerns."

Katie Burke contributed to this report.

You can reach Sharon Silke Carty at scarty@crain.com -- Follow Shiraz on Twitter: @shirazzzz

25

Shares

Newsletters