If connected cars are the future, connected car hacking will need to become a dominant focus of cybersecurity. Unfortunately, the latest battlefront in cybersecurity is beginning to look hauntingly like IT cybersecurity: Companies respond after hackers expose glitches and security holes.
We’ve seen this extensively in 2019. A popular telematics system was left vulnerable when hackers discovered the hard-coded credentials within. Hackers said in an interview they had figured out how to do a mass activation of connected car immobilizers, leaving them at risk of being stranded on the highway. A software engineer discovered a bug that would have allowed hackers to remotely start vehicles via an internet connection. And so on.
Car companies immediately remediated many hacks discovered in 2019 – but as in IT, the remediation came after the fact. That’s unacceptable; unlike infected servers, which are unlikely to do any more than cost companies time and money to fix, vehicles hurtling down the highway at 60 miles an hour can kill.
The majority of vehicles currently on the road are not yet connected and are certainly not self-driving, but the industry is carrying us toward driverless vehicles. Within two decades, more than a quarter of cars on the road will be autonomous, and even the cars that aren’t self-driving will be connected. If that is the direction vehicles are taking, the industry has a responsibility to ensure the people in those vehicles are protected from cyberattacks.
We’ve already seen how hackers can remotely control vehicles they’ve hacked into. Vehicles that collect data upload it to servers using the cellular networks available in the area, and those networks have proven vulnerable to intrusion. Especially in connected vehicles; hackers demonstrated how easy it was to take control of a Jeep Cherokee, and according to many experts, a vehicle’s CAN bus is eminently hackable. But as always, hackers forge ahead to more spectacular and more damaging attacks.
A scenario foreseen in a Georgia Tech study, where hackers use “gridlockware” to halt vehicles until they pay a ransom, is a frighteningly real possibility – perhaps even probability. According to the study, “hackers could not only wreck the occasional vehicle but possibly compound attacks to gridlock whole cities by stalling out a limited percentage of cars.” You wouldn’t even need to disable all the cars on the road; it would be enough to stall out just 20% of them. Just the threat of an attack like that – which would likely bring in its wake road rage violence on an unprecedented scale, along with major economic losses – would likely prompt city officials to cough up whatever ransom hackers demanded. Attacks like these, and certainly others on a smaller scale, are likely to become more common as the decade turns.
So what can we do? Fortunately, the industry is taking the problem seriously. General Motors recently designed a new electronic vehicle platform that takes hacks into account, with cybersecurity “baked in from the start,” using, for example, message authentication between vehicle components to ensure that the communication being sent or received is from a legitimate server. The company says it is using pen-testers and white-hat hackers to search for vulnerabilities in its network.
Toyota is also using the same tools as hackers. The company has developed PASTA (Portable Automotive Security Testbed with Adaptability), a system that allows anyone – even car owners – to explore connected vehicle ECUs and search for vulnerabilities.
Whether the measures manufacturers are taking will be sufficient remains to be seen, but it’s clear that cybersecurity that can catch problems before hackers do – and prevent them from taking advantage of problems – needs to be an absolute priority. The car industry owes it to us, and we may end up owing our lives to properly executed cybersecurity.
Yossi Vardi is CEO of SafeRide Technologies.