Contributed Post by Mr. David Moss
David Moss is a Detroit based automotive freelance writer. When he is not writing about the latest car technology, he spends his time hiking. You can follow him via Twitter @davidcmoss
The modern car is a changing landscape. Vehicles made today have powerful computing components that supply a number of features, from assisted driving to automated entertainment. Every year more is added, and the trend is as exponential as any other industry utilizing computers, automation and connectivity. In fact, according to BI Intelligence, by 2020 an astonishing 75 percent of all new vehicles on the road will be connected to networks, one way or another.
For all of the amazing benefits that this can bring to the road, there is a very real downside. For the first time in history, cars are at a significant risk from remote attacks. Automotive hacking is just one of the ways malicious computer use is shaping the world, but it requires serious scrutiny. This article is going to take a deep look at this problem. Through recent studies, a clear picture will be painted to demonstrate the current state of the industry, as well as how and why things need to change.
The Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk Report
In February of 2015, Senator Edward J. Markey commissioned a study to investigate the auto manufacturing industry. The study looked at the prevalence of hackable wireless technologies, uses of data collection, handling of data, existing security measures and overall vulnerability to ascertain a general state of the industry. Through a few key findings, the study determined that there are some major changes that need to hit the industry.
The first aspect of the study is probably the most important. Basically, every single car being manufactured today has some form of wireless, hackable technology. Bluetooth and wifi are increasingly common, but an increasingly available technology that poses the greatest threat is the Internet of Things connectivity. Most vehicles can track driving data and statistics, and report the information back to the manufacturers. While this data can be used to improve engineering, it also represents a collection of private information that is not known to most drivers.
That in itself is a fairly manageable problem, until it is paired with a second key finding. The majority of these manufacturers were completely unable to report on hacking attempts and incidents. This was possible because they weren’t looking, or, more specifically, they had not at that point considered the potential risks of hacking.
This general unawareness has led to a wide array of security measures. With no standardization, consumers are exposed to risks of data breaches in a number of ways that would be easily preventable under certain circumstances. Moreover, many systems from a single manufacturer can have differing levels of safety, making the industry as a whole difficult to grade. The one factor that is common throughout is that there are multiple points of vulnerability, and major changes will be necessary to resolve the risks.
One of the most frustrating findings in the study showed that most drivers were completely unaware of these risks. Data collecting technologies are relatively new, and there is a general lack of transparency in the process. If drivers don’t know their data is being collected, they cannot take proactive measures to protect their privacy.
The study was not all bad news. Upon realizing the unacceptable state of the industry as a whole, American manufactures agreed to voluntary improvements that are already hitting markets. While the measures do not entirely fix the situation, they have dramatically improved transparency, and with better awareness the manufacturers are now researching holistic approaches to security. Additionally, Senator Markey is pushing for congressional reform. Using the National Highway Traffic Safety Administration (NHTSA) and Federal Trade Commission (FTC), a committee is working to standardize automotive data security.
Real Hacking in the Real World
It’s easy to dismiss the senator’s study as theoretical rhetoric. Studies are great for manufacturers, but car hacking isn’t a real thing, is it?
Thankfully, there have been no instances of widespread hacking across the U.S. Such an event would be calamitous, but it would also be very difficult to do. Instead, car hacking is still an uncommon occurrence that is challenging, but clearly possible. The best examples come through the efforts of Charlie Miller and Chris Valasek. These experts have been experimentally hacking into vehicles across the board to better understand the real risks.
In their most famous experiment, they took control of a 2014 Jeep Cherokee. While it was being driven on a real highway in St. Louis, the hackers were able to adjust a number of controls, from air conditioning to lights, and ultimately shut of the engine in the middle of the drive. Since this test, they have penetrated a number of other vehicles, and the results stay consistent. As vehicles become more connected and automated, hackers have more potential control over every aspect of driving.
As scary as this seems, it’s ultimately a good thing. The work being done by Miller and Valasek has already enabled several manufacturers to eliminate the biggest vulnerabilities in their systems. The 2014 model that was so famously controlled has since received updates that have made similar attempts impossible, but this brings up an important point. Much like with the computer industry, the future safety of the roads will largely hinge on consumer participation. Staying on top of updates and recalls is only going to become more important as the range of risks increases.
That is a big part of the reason the FBI and Department of Transportation have worked to make this knowledge public. In addition to promoting articles discussing the hacking, they have released an official public statement noting the potential risks of car hacking. On top of that, they have opened official channels to make it easy for consumers to report hacking incidents. Tracking the problem will make it easier for manufacturers to measure and eliminate risks along the way.
Overhauling the Industry
While the risk of having a car hacked in the middle of a drive is terrifying, it isn’t the main concern for the industry. The main reason this isn’t an epidemic already is because there really isn’t any motivation for hacking a car in this way. Traditionally, malicious cyber-attacks are all about the bottom line, and in the case of cars, the most profitable form of attacks is stealing information. Just like with any other connected industry, the real risk is in the massive amounts of collected data.
There is good and bad news in this reality. The good news is that the overall threat to road safety, and the possibility of hackers accessing vehicle's advanced safety systems, is minimal. The bad news is that protecting data is even more difficult than protecting the cars. In order to achieve generally acceptable levels of protection, the very nature of design, development and marketing will have to change. Manufacturers have taken progressive measures so far, even retrofitting older models with additional security, but experts across the board say that it isn’t enough. A look at a study by Duncan Brown is very revealing.
In his study, Brown was able to show that real cyber security has to begin with design. If the systems aren’t built for security, and more importantly, security upgrades, then any attempts to beat hackers will eventually fail. His study also shows just why this is such a monumental challenge for car makers. The biggest issues stem from the fact that manufacturers are mostly assemblers. While they choose which parts go in their vehicles, they outsource large portions of design and development. Unless those third parties are sufficiently incentivized, they have little reason to reimagine their process, and security will suffer as a consequence.
There is another major issue that is mostly unique to cars. Unlike personal computers, they often stay on the roads for decades. This matters mostly because sustainable security requires regular updates. Those updates come at a cost, and companies like Apple and Microsoft have demonstrated just how expensive and draining updating older systems really is. One of the keys to overcoming this is a more cost-effective approach to security maintenance, and that will require extensive research and innovation.
The ultimate solution will come down to spending. When security risks become an expensive enough problem, you can expect the industry to respond. This gives consumers an important measure of power. If cyber security awareness is pushed fast enough, buyers will consider this safety aspect when they shop. A buying shift away from vehicles and manufacturers that lag behind in this facet is the fastest way to push for the changes that still need to be seen.
These problems are new, and as such, much more study needs to be done. Understanding the problem is clearly one of the major keys to resolving it. Ultimately, that isn’t enough. The industry needs to change, and it has to be done on every level. Every part supplier, manufacturer and developer in the chain of car production will need to contribute. The steps taken so far are a good start, and if all parts can follow through, the future just might not be full of hacked automobiles.
Topics: Connected Car - Security