In The Age Of Connected Cars, How Secure Are You?
Technology in the automotive industry has evolved to a stage where cars are all connected via apps and advanced dashboard features. However, as with every piece of technology, there is a fear of viruses and hackers. Even with huge companies like Facebook and Google, there have been implications of information being leaked out, money stolen or identities at risk. Today, all these risks are becoming more relevant to the car. Carmakers are increasingly trying to beef up their in-car security systems to prevent hackers from manipulating the built-in safety protocols and other cyber attacks.
So the question is: how safe is your connected car?
Carmakers will want to alleviate the fears, because every new model now has its own Internet connected car systems which help them and their customers keep track of the car’s mileage, fuel levels and other functions. However, the task is made tougher because not only do the car’s internet-connected systems need to be secure, but so too do the internal networks that run within the vehicle. These control basic functions such as the infotainment system, and for a growing number of vehicles, vital driving tasks such as steering, braking and acceleration. Under the control of a hacker, the potential for disaster is high.
It’s not to say that carmakers are not taking any steps forward. General Motors in the United States is one such example, hiring its first dedicated cyber security officer, Jeffrey Massimilla. They also invited “white hat” hackers to find loopholes in its cars as part of an effort to find and fix any insecurities.
“We’ll show them the products, programmes and systems for which we plan to establish these Bug Bounties,” GM President Dan Ammann said of these ‘white hat’ hackers, “Then we’ll put them in a comfortable environment — ply them with pizza and Red Bull or whatever they might need — and turn them loose.”
Similarly, Tesla offered between US$100 (RM415) and US$10,000 (RM41,500) for every bug found in its software, depending on the severity of the breach and its potential ramifications.
While there is a positive sign on how carmakers are taking the security threats and cyber security seriously, many are still asking, why should there still be automated vehicle technologies when there is a risk of hacking?
Up to today, there have been several mainstream hacks from teams researching cyber security in vehicles that have shown that critical vehicle functions can be accessed through seemingly simple means. For example, a UK-based Nissan Leaf was accessed remotely all the way from Australia, allowing the heating and ventilation systems to be adjusted remotely, as well as access private GPS data. The hacker claimed that the vulnerability came from the NissanConnect smartphone app, which only requires a car’s vehicle identification number (VIN) to take control.
In a separate case, a Mitsubishi Outlander PHEV also fell prey to a research project. The alarm could be deactivated by decoding the password for the Wi-Fi connection used by the car’s smartphone app, which also allows remote control of other functions such as air conditioning and headlights. There is also the case of FCA’s Uconnect system, an award winning connected system built into Chrysler, FIAT, Jeep, Ram Truck & Dodge vehicles, where Wired journalist Andy Greenberg was left stranded on the highway after the brakes and steering wheel had been remotely hacked by two researchers doing an experiment.
These are just some events that may have forced the hand of automakers to accelerate plans. As a result, the industry has had to come to terms with cyber security, and fast. Security defines the limitations of what is accessible. This is where mandatory access control becomes important, to provide access to only what is needed and nothing more.
“In the last couple of years, some of these exposed systems have really awakened the industry to the vulnerabilities out there,” says Chuck Brokish, Director of Automotive Business Development at Green Hills Software. “The industry is taking security quite seriously in implementing at least some minimal functions of security like authenticated boot or secure communications channels, for example.”
Thankfully, the threat of a fullblown cyber attack is diminished by a few factors. First, there is no fully autonomous vehicle out in the market yet, and even for those in testing, there are only featuring semi-automated functions available. And while most cars currently on sale may well be connected to the internet in some way, there has not been a surefire ability to remotely control critical vehicle functions that carries the most potential for harm.
Another reason is that there is a wide variation in the software used in different cars, which may make it difficult for the hackers to have a one shoe fits all approach to hacking cars. Hackers cannot necessarily take down numerous types of cars with a single hack. Brokish suggests that it has not been worth a hacker’s time, effort or money to plan a cyber attack on even the most advanced cars on the market.
“Frankly, the payback is not big enough yet,” Brokish explains. “Hackers need to have enough vehicles that they can hold to ransom, or disrupt, to make it worth the effort.” A small number of vehicles with diverse software means many hacks are required; once the volumes of these cars increase and software becomes more standardised it will become easier to get a greater return on a hack.”
It remains to be seen that in the near future, whether autonomous vehicles are likely to be the most attractive targets, whether for financial gain or disruption. In this case, it would be best if carmakers work together to put the necessary defences in place to avoid hacks wherever possible, and to limit the impact of hackers ruining an amazing piece of technology.
What do you think about this? Leave a comment below!