DAB: A Hacking Vector?

U.S. news media went bonkers a couple of weeks ago when information security researchers, in conjunction with a journalist from Wired, demonstrated how they could remotely access a Jeep Cherokee and take control of various functions, including its engine, steering, and braking. The hack exploits the fact that many cars and trucks today interface with the Internet in some fashion, either directly or via other devices that connect to them (like a smartphone).
That hack targets vehicles on a one-to-one basis, and it is not the first of its kind. But what if you could broadcast an exploit to multiple vehicles at once? Turns out this is possible, too. Researchers in the U.K. say they can transmit code within a DAB digital radio signal that provides control of critical vehicle systems.
The BBC ran this attack past the folks who pwned the Jeep Cherokee; one of them called it entirely plausible, since both effectively involve compromising a vehicle’s infotainment system. The DAB exploit has only been demonstrated in closed conditions, using private vehicles and a homebrew DAB transmitter. A hacker would presumably embed their payload into the DAB stream of a popular station in order to maximize the exploit’s effect. But what’s to stop them from contaminating every station stream in a multiplex?
On the sender-side, the first step toward preventing such an exploit is to secure the radio station’s infrasctructure. Although the United States doesn’t use DAB, broadcasters still have a lot to learn about locking down their stations, though the consequences at this stage are relatively minor — data loss, bad PR, wounded pride. Even cases of Emergency Alert System intrusions/failures are more frustrating than fear-mongering.
Auto manufacturers seem to be letting the drive toward connectivity and convenience trump information security. What practical reason is there for a vehicle’s infotainment system to have any ability to send information to the drivetrain or control systems? Wouldn’t it make sense to authenticate where critical control commands come from?
Cars are one of the more notable elements of the Internet of Things (IoT) growing around us, and it would make sense that connected things should come with some level of cybersecurity. But most don’t, so it’s incumbent upon those who supply data to things to lock themselves down as best they can. As digital broadcasting becomes more and more about the provision of audio that is not data, stations may become increasingly lucrative targets of exploit.
Just what is the state of information security in modern U.S. broadcasting today?