Could you find yourself at the wheel of two tons of rolling steel that has malevolent code coursing through its?
The prospect is not so implausible. A handful of real if fairly benign cell phone viruses have already been observed, in antivirus industry parlance, "in the wild."
Still, a virus in a cell phone might muck up an address book or, at worst, quietly dial Vanuatu during peak hours. But malicious code in cars, which rely onfor functions as benign as seat adjustment and as crucial as antiskid systems that seize control of the brakes and throttle to prevent a crash, could do far more harm.
The Lexus tale, based on murky reporting and a speculative statement by Kaspersky Labs, a Moscow antivirus company, seems to have been unfounded. "Lexus and its parent companies, Toyota Motor Sales USA Inc. and Toyota Motor Corporation in Japan, have investigated this rumor," the carmaker said in a statement last month, "and have determined it to be without foundation."
But the question lingers: Could a car be infected by a virus passed along from, say, your cell phone or handheld computer? Or worse, by a hacker with a Bluetooth device within range of the car's antennas?
The short answer is, not yet.
"Right now this is a lot of hype rather than reality, the idea that cars could be turning against us," said Thilo Koslowski, a vice president and lead analyst for auto-based information and communication technologies at Gartner G2, a technology research firm. "We won't see John Carpenter's 'Christine' becoming a reality anytime soon."
But Koslowski and others are quick to point out that the elements for mischief are slowly falling into place:
First, vehicles are increasingly controlled by electronics--to the point that even the simple mechanical link between the gas pedal and engine throttle is giving way to "drive by wire" systems.
Second, more data is being exchanged with outside sources, includingand real-time traffic reports.
Finally, the interlinking of car electronics opens up the possibility that automotive worms could burrow into a memory storage area in ways that engineers never imagined.
Since the early 1990s, the various computers that manage a car's engine, transmission, brakes, air bags and entertainment systems have been increasingly linked in networks much like the ones that offices use to let workers share printers, scanners and backup storage drives. Benefits of interconnecting the electronic devices include less wiring--a luxury car can contain miles of copper cables--and reduced weight, an important factor in improving performance and fuel economy.
Less obvious are the advantages of having the components communicate: an antiskid system, designed to help keep a car from spinning out of control, links sensors in the steering, brakes and throttle, and can effectively seize control from the driver.
Other systems in which computers essentially take over, if only for a second, include emergency-brake assist, which provides maximum braking force when sensors detect the need for a panic stop, and "active steering," a feature now exclusive to BMW in which computers can compensate for a driver's recklessness.
The latest versions of in-car information systems, known as telematics, include the ability to diagnose vehicle maladies. General Motors' OnStar can forward readings from sensors throughout the car for troubleshooting, a process called remote diagnostics. (All GM cars will include OnStar by the end of 2007.)
The data, read from the engine-control computer, is transmitted over the OnStar cellphone link. Several automakers have discussed plans to use this conduit to update a vehicle's software or even perform electronic repairs, though no automaker is currently doing this regularly. Microsoft has entered this business, too, having recently signed a deal to provide software for ato be installed in all Fiats, starting this year.
By design, the various controls are not isolated from other in-car processors, since they need to share information to operate effectively and avoid the need for redundant sensors, wiring and microprocessors. Also, automakers have begun to share in-car processing power and memory capacity over the network, said Paul Hansen, the publisher of an industry newsletter, The Hansen Report on Automotive Electronics.
In a car with a stand-alone cell phone installation there would be no pathway for pernicious computer code to enter the vital electronic systems. But as automakers work to take advantage of linked processors, ready exchanges of data--and malware--become possible.
Possible does not, however, mean easy. Unlike the anonymous and remote world of PC viruses delivered over the Internet, a ne'er-do-well would need, in most cases, a few moments alone with a car to impregnate it with malware--for now.
Marko Wolf, a research associate at Ruhr-Universitat in Bochum, Germany, and co-author of a recent study of security in automotive networks, said a rogue mechanic with under-the-hood access could make short work of planting malicious code. And as internal networking reaches the exposed extremities of a car--its side mirrors, say, or its lights--the number of potential access points increases.
"Cars have extended their bus wires and controllers even into their electronic mirrors" and to receivers for global-positioning signals, Wolf said, conjuring a "Mission: Impossible" plot: "One can easily hack into the internal communication system just by breaking away that outside part and connecting the bare bus wires with a PDA or laptop." (A bus is essentially a collection of wires linking one part of a computer--or a car--to another.)
Looking ahead, a proliferation of remote access points--OnStar-type services, for instance, or short-range Bluetooth connections--will raise the odds that virus writers will eventually try to beam a bug across the ether. Just as such services let the car send data to the outside world, malware writers could try to use those wireless conduits to send destructive payloads into cars.
Systems like OnStar, known for providing emergency assistance or concierge services (its operators will make restaurant reservations for you), in fact hold deep conversations with the car's networks. Besides the ability to provide engine diagnostics and unlock the doors by remote to rescue forgotten keys, an advanced level of OnStar--now on about a dozen GM models--will report detailed data about a collision to emergency medical personnel.
Navigation systems, which have used only a time signal from satellites to determine a car's location, are adding traffic information. The Acura RL is the first with this service; updates about congestion or construction delays are sent to the car and displayed on the navigation screen.
Despite these potential pathways, creating a virus that would spread within the car would be no small feat. In the Windows-dominated PC universe, "the programmer only has to know the PC processor" to do damage, said Egil Juliussen of Telematics Research Group of Minnetonka, Minn., a firm that tracks the rise of in-car networking.
"The auto is a very different environment," he said. "The infotainment system may have multiple processors and operating systems. The navigation system has one processor or operating system, the telematics system may have another one and the radio may have a third one."
Getting a virus to propagate from one system to another would be akin to designing malware that could pass from ato a and on to a Linux machine--infecting them all.
"The point is that the virus writer needs to expand his knowledge by a factor of 10 or more over the PC world," Juliussen said. Even then, he said, with operating systems--particularly those that control crucial mechanical systems--remaining varied and proprietary, a successful virus could function in only a small fraction of cars.
"It's feasible," Juliussen said, "just a lot harder."
Whether virus writers can overcome the hurdles remains an open question, but evidence from the PC world suggests that as on-board networking becomes more widespread and standardized, they will certainly try. Early speculation, like the Lexus rumors, may help focus attention on the potential problem before car malware has a chance to flourish.
"I am very happy to see as many rumors of that sort as believable as possible as soon as possible," said Peter B. Ladkin, a professor of computer networks and distributed systems at the University of Bielefeld in Germany. "Because it means that more automakers will pay attention to what they're doing."