Connected cars are essentially computer networks on wheels. The dashboard is now the control center for telecommunications, web surfing, car diagnostics, navigation, and a host of other functions. The rolling computer network monitors the car’s systems using built-in sensors to make sure everything is running properly. A wireless connection can also be used to send telemetry to the telematics service provider or the manufacturer to facilitate service and update software. Once a vehicle is connected to the internet it becomes susceptible to hacking.
Car hacking is the latest in a long series of consumer security threats and has been getting a lot of attention in the news. Major carmakers including BMW, Mercedes-Benz, General Motors, and Tesla have already had to address car hacking threats. Clearly, automotive hacking is posing a safety concern. And as consumers demand more from their connected cars, it will likely mean hacker attacks will target personal data and private information as well.
What Are the Primary Motivators for Hackers?
Hacking has a life cycle like almost everything else in the world. The initial wave of hacking is based on an inherent desire to ‘see what is possible’. This is both the cause of great innovation and the beginning of the opening of a Pandora’s Box. Once something is known to be ‘possible’ there is a natural attraction to the hacker communities, who are seeking some level of self-gain. In the automotive arena, there are currently two or three use cases where a hacker may be motivated to take advantage of vulnerable vehicles.
We believe these can be summarized into three categories:
- Phishing Attacks - Hackers take a long-term view of gaining an economic return for their efforts. The point of phishing is to ‘learn something of value’ about a person or a group of people. They are casting a very wide net.
- One to One Attacks - Let's face it, some people are more interesting than others and hackers are going to go after high-profile opportunities. Sometimes this is just to make a name for themselves and other times it is to target an enemy of their cause.
- Mass Attacks - What motivates the hacker is to make a big splash and hacking a mass number of vehicles would generate a lot of buzz in the media. We can all imagine the economic impact of waking up one morning and finding that an entire set of vehicles can’t start due to a hacking incident, or worse, that there has been a rash of accidents caused by hackers remotely interfering with cars while they are been driven.
While we think the chances of a major event remain remote at this time, we cannot continue to believe that vehicles are ‘islands’ protected from foreign elements by their disconnected nature.
Manufacturers Need to Be Proactive about Hacking
Over the last year, the high-profile car-hacking events in the news have dramatized the vulnerability of the connected car.
Using simple wireless communications systems, hackers have demonstrated that no connected car network is safe:
- BMW was one of the first to report a hacking incident. To dramatize the vulnerability of the new connected cars, the Allgemeiner Deutscher Automobil-Club (ADAC), the German automobile club, was able to reverse-engineer the telematics software that controls BMW’s Connected Drive system, which is installed in more than 2.2 million vehicles. Exploiting security weaknesses in the software, ADAC was able to access the air conditioning system, traffic information system, and the door lock controls using a wireless computer.
- Chrysler suffered a similar embarrassment when two hackers were able to shut down a Jeep by remote control. In a profile published in Wired magazine, the hackers were able to take control of a Jeep Cherokee traveling at highway speed, first operating the windshield wipers, taking over the radio, and ultimately shutting down the vehicle altogether by locking the transmission.
- Tesla was also the victim of a cyber attack. Two mobile security experts demonstrated their ability to hack a Tesla Model S at the Dev Con hacker conference in Las Vegas. In order to hack the Tesla, they first had to gain physical access to the vehicle’s network infrastructure to introduce a Trojan. Once the virus was inserted, the hackers were able to convince the car that their laptop was the car’s controller, allowing them to take command, including the ability to shut off the engine.
While all these hacking incidents demonstrate the vulnerability of the connected car, how these carmakers dealt with the problem demonstrated manufacturers’ preparedness to deal with hackers. Chrysler’s approach was the old school ‘sneaker net’ approach, essentially shipping USB drives with a software patch to 1.4 million car owners. BMW’s solution was more elegant; they were able to develop a patch and then send it wirelessly to all affected cars so the software update was automatic. Tesla had the most sophisticated solution. The company already sends regular software updates wirelessly to all its vehicles, so the software patch to fix the security bug was ready for delivery.
What this demonstrates is that with connected car advances, OEMs need to be prepared to address security problems before they occur. Patching faulty software is one thing, but OEMs need proactive security measures to protect vehicles, such as firewalls and data encryption to protect vehicle telematics.
One of the interesting thoughts that arise out of this discussion is what role the consumer should play in security management for their vehicle. In the computing space, consumers play a fairly active role. Will they necessarily play a similar role in the vehicle? Do OEM’s want consumer consent and participation in applying updates?
Personal Security Part of the Connected Car Risk
Security to promote driving safety is a primary consideration. However, manufacturers are also going to have to start thinking about securing personal data as well.
As cars increasingly become an extension of today’s connected lifestyle, car owners will start storing sensitive data in their car systems to handle music downloads, toll payments, and other transactions. Credit card information and identify theft are attractive targets for hackers and something automakers need to consider.
For example, a hacker could set up a wireless sensor to access credit card data stored in cars driving past a given location on the highway. Hackers wouldn’t even have to go looking for targets; the data drives right past their door. Or what about hacking navigational data? If you can match a car’s GPS location to a known home address, then a housebreaker can tell when you are away from home.
To address these security concerns, Senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) have introduced the Security and Privacy in Your Car Act, also known as the SPY Car Act. The legislation would establish a rating system for consumers to rank how well cars protect security and privacy. The senators’ proposal also asks the National Highway Traffic Safety Administration (NHTSA) to establish new standard of protection. These standards would require OEMs isolate software systems and take steps to secure connected vehicles. They also want to require technology that would detect, record, and stop hacking attempts in real time.
Smart OEMs are becoming proactively involved in connected car security. By being proactive and taking positive steps today, manufacturers can become part of the security solution and help shape industry standards and legislation. They also can be ready to reassure customers that the next generation of connected cars is safe and secure.