Car hacking is the latest in a long series of consumer security threats and has been getting a lot of attention in the news. Major carmakers including BMW, Mercedes-Benz, General Motors, and Tesla have already had to address car hacking threats. Clearly, automotive hacking is posing a safety concern. And as consumers demand more from their connected cars, it will likely mean hacker attacks will target personal data and private information as well.
What Are the Primary Motivators for Hackers?Hacking has a lifecycle like almost everything else in the world. The initial wave of hacking is based on an inherent desire to ‘see what is possible’. This is both the cause of great innovation and the beginning of the opening of a Pandora’s Box. Once something is known to be ‘possible’ there is a natural attraction to the hacker communities, who are seeking some level of self gain. In the automotive arena, there are currently two or three use cases where a hacker may be motivated to take advantage of vulnerable vehicles.
We believe these can be summarized into three categories:
- Phishing Attacks - Hackers take a long-term view of gaining an economic return for their efforts. The point of phishing is to ‘learn something of value’ about a person or a group of people. They are casting a very wide net.
- One to One Attacks - Let's face it, some people are more interesting than others and hackers are going to go after high-profile opportunities. Sometimes this is just to make a name for themselves and other times it is to target an enemy of their cause.
- Mass Attacks - What motivates the hacker is to make a big splash and hacking a mass number of vehicles would generate a lot of buzz in the media. We can all imagine the economic impact of waking up one morning and finding that an entire set of vehicles can’t start due to a hacking incident, or worse, that there have been a rash of accidents caused by hackers remotely interfering with cars while they are been driven.
Manufacturers Need to Be Proactive about HackingOver the last year, the high-profile car-hacking events in the news have dramatized the vulnerability of the connected car.
Using simple wireless communications systems, hackers have demonstrated that no connected car network is safe:
- BMW was one of the first to report a hacking incident. To dramatize the vulnerability of the new connected cars, the Allgemeiner Deutscher Automobil-Club (ADAC), the German automobile club, was able to reverse-engineer the telematics software that controls BMW’s Connected Drive system, which is installed in more than 2.2 million vehicles. Exploiting security weaknesses in the software, ADAC was able to access the air conditioning system, traffic information system, and the door lock controls using a wireless computer.
- Chrysler suffered a similar embarrassment when two hackers were able to shut down a Jeep by remote control. In a profile published in Wired magazine, the hackers were able to take control of a Jeep Cherokee traveling at highway speed, first operating the windshield wipers, taking over the radio, and ultimately shutting down the vehicle altogether by locking the transmission.
- Tesla was also the victim of a cyberattack. Two mobile security experts demonstrated their ability to hack a Tesla Model S at the Dev Con hacker conference in Las Vegas. In order to hack the Tesla, they first had to gain physical access to the vehicle’s network infrastructure to introduce a Trojan. Once the virus was inserted, the hackers were able to convince the car that their laptop was the car’s controller, allowing them to take command, including the ability to shut off the engine.
What this demonstrates is that with connected car advances, OEMs need to be prepared to address security problems before they occur. Patching faulty software is one thing, but OEMs need proactive security measures to protect vehicles, such as firewalls and data encryption to protect vehicle telematics.
One of the interesting thoughts that arise out of this discussion is what role the consumer should play in security management for their vehicle. In the computing space, consumers play a fairly active role. Will they necessarily play a similar role in the vehicle? Do OEM’s want consumer consent and participation in applying updates?
Personal Security Part of the Connected Car RiskSecurity to promote driving safety is a primary consideration. However, manufacturers are also going to have to start thinking about securing personal data as well.
As cars increasingly become an extension of today’s connected lifestyle, car owners will start storing sensitive data in their car systems to handle music downloads, toll payments, and other transactions. Credit card information and identify theft are attractive targets for hackers, and something automakers need to consider.
For example, a hacker could set up a wireless sensor to access credit card data stored in cars driving past a given location on the highway. Hackers wouldn’t even have to go looking for targets; the data drives right past their door. Or what about hacking navigational data? If you can match a car’s GPS location to a known home address, then a housebreaker can tell when you are away from home.
To address these security concerns, Senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) have introduced the Security and Privacy in Your Car Act, also known as the SPY Car Act. The legislation would establish a rating system for consumers to rank how well cars protect security and privacy. The senators’ proposal also asks the National Highway Traffic Safety Administration (NHTSA) to establish new standard of protection. These standards would require OEMs isolate software systems and take steps to secure connected vehicles. They also want to require technology that would detect, record, and stop hacking attempts in real time.
Smart OEMs are becoming proactively involved in connected car security. By being proactive and taking positive steps today, manufacturers can become part of the security solution and help shape industry standards and legislation. They also can be ready to reassure customers that the next generation of connected cars is safe and secure.
Topics: Connected Car - Security