Today’s cars are computers on wheels – with more microprocessing power than you’re likely to find in the typical home or office. Despite the benefits, computerization also brings some serious risks, as hackers in Houston have shown.
A surveillance video offers one of the few clues to a series of recent car thefts. It reveals one of the thieves breaking into a Jeep Wrangler, opening up a laptop computer and, after a few moments of tapping on the keyboard, driving away.
It’s still unclear if or how the thieves were able to hack into the car’s engine control system, but the incident just one among a growing list of reasons why cybersecurity experts fear hackers are now targeting the automobile – and why Fiat Chrysler Automobiles last week announced it would offer a bounty of as much as $1,500 to “white hat” hackers who help the company find and fix potential software vulnerabilities. The automaker has teamed up with Bugcrowd, a San Francisco-based collective that can draw on the knowledge of an estimated 32,000 hackers around the world.
“The idea is to go out to the hacker community itself and ask for help,” explained Bugcrowd founder and CEO Casey Ellis. The company already has a similar relationship with Tesla Motors and several other automakers Ellis declined to identify.
“A few years ago, only a few experts took cybersecurity seriously, but now the industry is putting in a lot more resources,” said Saar Dickman, the founder and CEO of Tower-Sec, an Israeli firm considered one of the leaders in automotive cybersecurity systems.
As with home and office computers, hackers hope to access personal information for profit. But there are other potential risks, Dickman and other experts warn. Especially as more advanced onboard technologies come to market.
A pair of security experts gave a hint of what might happen last year when they remotely hacked into the vehicle controls of another Jeep, ultimately sending it driving off the road and into a ditch. That could become even more of a nightmare scenario as automakers launch early self-driving vehicles. That might even allow hackers to kidnap or kill motorists by programming in their own destinations.
“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” warned a bulletin jointly issued by the FBI and the National Highway Traffic Safety Administration earlier this year.
That message seems to be taking hold. A recent study by the consulting firm McKinsey found that 43% of U.S. car buyers say they’re worried about hacking.
A number of industry leaders, including General Motors CEO Mary Barra, will gather in Detroit later this week to attend a global cybersecurity forum. The event will highlight growing concerns about the issue and look at some of the potential solutions.
In the near-term, experts are approaching the problem much as they have with desktop and laptop computers and smartphones. The first line of defense is to isolate so-called vulnerabilities: gaps in vehicle software that provide an opening for hackers.
While it is still unclear exactly what the Houston thief was doing with his laptop computer, cybersecurity experts have shown it’s possible to hack into a wide variety of vehicles. Last month, researchers in Britain cracked the code on a brand new Mitsubishi Outlander plug-in hybrid. In February, another team revealed serious vulnerabilities with the smartphone app used by Nissan to control its Leaf battery-car.
Nissan was forced to disable that app until it could come up with a fix. FCA recalled a number of vehicles with potential cyber openings, as did BMW, its own problem affecting Rolls-Royce and Mini models, as well.
Part of the problem is that automakers are adding more ways for hackers to access the newest vehicles. A few years back, they would have needed physical access, most likely through the OBD, or onboard diagnostics, port under the instrument panel. Today, vehicles have added numerous wireless access points. Chevrolet, Audi, Ram and a number of other brands are equipping vehicles with 4G LTE WiFi hotspots. Some manufacturers, such as Tesla, are adding additional wireless systems that will allow them to upload “over-the-air,” or OTA, software updates, while others use satellite radio broadcasters to send software to a vehicle. Even the wireless tire pressure monitoring systems, or TPMS, required on all modern vehicles, can provide a back door for a savvy hacker.
Going forward, even more entry points could be available. At the Detroit Auto Show last January, Toyota showed off a new, high-speed satellite communications system developed, in part, by Intelsat, that could make cracking into a vehicle even easier if security solutions aren’t found.
Some experts fear the industry is falling behind, even as it steps up investments in cybersecurity. Part of the problem, Tower-Sec’s Dickman warns, is that automakers are trying to bend the anti-viral and anti-spam technology used in home and office to work in the automobile.
Part of the problem is that such systems rely on discovering a new virus or malware and then issuing an alert with protective code. But it is more difficult to ensure every car gets the latest updates, experts caution.
At this week’s cybersecurity conference, several firms are expected to discuss alternative approaches, unique to automobiles, which would automatically lock out suspect software and revert to the original, factory code, if something unusual begins to happen.
Hackers aren’t the only ones worrying both cybersecurity and security experts, especially as autonomous vehicle technology comes closer to making the transition from science fiction to real life. There is growing concern terrorist groups, such as ISIS, could remotely program or pilot car bombs.
“We have concrete evidence they’re building cars that drive themselves,” Mikko Hypponen, the chief research officer of F-Secure, said during a presentation at this year’s SXSW conference. “It’s obviously a deep concern, because you are looking at safety vulnerabilities that could be exposed.”
How to prevent such a situation is unclear. Chinese authorities in the city of Shenzhen recently began a test program in which they will assign tracking IDs to 200,000 vehicles operating in the city. If the project works it could be rolled out nationwide. Similar steps may be needed to track autonomous vehicles, experts say, though it’s unclear that will go far enough – or pass muster with privacy advocates.