It's risky getting into a vehicle, navigating treacherous highways and trusting that other drivers are competent enough to keep you safe on the road. But as society enters the Internet of Things era, new threats will emerge in the form of cybercrime. As vehicles become more connected and more reliant upon internet connectivity, security researchers are discovering a number of security holes in technology that power connected and autonomous vehicles.
Automakers are facing increased pressure to find ways to guard people against cyber-attacks now that cars are being manufactured to depend on internal computers and internet connections. At the recent Billington Global Automotive Cybersecurity Summit held in Detroit, Michigan, the message from the speakers was clear: Global security threats are increasing, and if the auto industry, governments and law enforcement don't come together to counter those threats, the advances being made in connected and autonomous vehicles could be set back years.
John Carlin, assistant attorney general for national security at the U.S. Department of Justice referred to the July 14 terrorist attack in Nice France during his speech, where 80 people were killed: "We know these terrorist groups have the capability," he said. "If they're trying to get trucks to drive into crowds of civilians, it doesn't take too much imagination to imagine they'd try to do the same thing with an autonomous vehicle."
The Billington Summit gathered highly regarded auto industry, government and law enforcement leaders, including Transportation Secretary Anthony Foxx and National Highway Traffic Safety Administration chief Mark Rosekind, to discuss growing cybersecurity concerns in the auto industry. The Summit was opened with a keynote speech by General Motors CEO Mary Barra who called for a unified response to cyber threats.
"A cyber incident is not a problem just for the automaker," she said, "It is a problem for every automaker around the world. It is a matter of public safety." Many of the speeches, according to Auto News, agreed that responding to cyber threats will require collaboration by the automotive industry between competitors and with regulators.
Barra also highlighted the need to protect the personal data of customers who use an in-car system for banking or to pay for other services. "The fact is personal data is stored in or transmitted through vehicle networks," she said. On top of that is the complexity of the latest auto IT systems, which she said "opens up opportunities for those who would do harm through cyber-attacks."
Jonathan Allen, a cybersecurity expert with Booz Allen, is assisting automakers and their suppliers prepare to deal with threats in a changing auto landscape. He noted that up until only two years ago, automakers tended to downplay the threat posed by hackers. But he said there has been a significant cultural shift within the industry to tackle the challenges seriously.
Josh Corman, founder of I am the Cavalry, a global grassroots organization that is focused on issues where computer security intersects public safety and human life, noted a substantial threat that all automakers could relate to: damaged reputation. Hacking into cars could threaten "flesh and blood" so car makers have to be even more vigilant, said Corman.
Jeffrey Massimilia, General Motors chief cybesecurity officer, added that sharing information broadly across the industry is one of the keys to fighting off cyber threats. Industry and key suppliers have received government approval the past year to share information amongst themselves on cybersecurity without the threat of anti-trust action, according to phys.org. Automakers are also recruiting "white hat" hackers to help hunt down vulnerabilities in the IT systems of cars, says the report.
"We should have a way for people to find things and report them," said Titus Melnyk, senior manager of security architecture at Fiat Chrysler Automobiles (FCA), which recently invited the ‘bug crowd' that searches for weaknesses in new software, smartphones, computers or consumer electronics. "These threats are evolving. At FCA we take that seriously," he said.
Majority of security vulnerabilities in vehicles stem from automakers not having the necessary expertise when it comes to securing computer system from cyber criminals, Jeff Williams, chief technology officer of the security firm Contrast Security, told Business Insider last year.
Williams said: "Cars are vulnerable because they were never built with defenses in mind. If you take something that was designed to work in one set environment and you connect to it a much more hostile environment, you don't have the right defenses in place. So of course it's vulnerable. It's like Bambi walking out of the forest into the field. Nobody today designs cars to operate on the internet, but all of a sudden we are connecting them. And so then we are getting thrown in the deep end."
Gartner estimates that there will be a quarter of a billion connected vehicles on the road by 2020, and that number will likely continue to grow as smart vehicle technology develops over time. Security researchers, according toBusiness Insider, have been testing vulnerabilities in smart vehicles for a while now.
Until recently, they have mostly been able to breach a vehicle when it was within a certain physical range or with the inclusion of special hardware previously installed in the cars. But White Hat hackers have recently shown that certain models of vehicles with wireless connectivity can be breached without these stipulations.
Chrysler Fiat was one of the first vehicle brands to experience vulnerabilities related to smart features. Last year two security researchers discovered a weakness in Chrysler Fiat vehicles that allows for some to be controlled remotely via an internet connection. The problem sat with Uconnect, a feature found in Fiat Chrysler vehicles that enables phone calls, controls entertainment, and powers a Wi-Fi hotspot.
When the weakness was exploited, the researchers were able to use Uconnect's cellular connection to source the vehicle's IP address in order to gain access to the car from anywhere in the world. They were able to gain access to the chip controlling entertainment and rewrite firmware so that they could implant code to control aspects of the cars such as engine and brakes. The capabilities were only fully tested on Chrysler's Jeep Cherokee.
According to Fiat Chrysler, a special team identifies potential vulnerabilities in its vehicles. But the incident raised serious concerns about smart vehicle security. A BMW system was also compromised last year when researchers were able to remotely open the vehicle's locks. It's only a matter of time before real hackers are able to gain access of everyday citizens' vehicles by the same means.
For example, a hacker could potentially use a car's GPS to locate a person in a remote area, and then install a virus on the car's computer which could only be removed if the person in the vehicle hands over ransom money. We could potentially have a big problem on our hands, says Williams.
"When you start adding technologies like Uconnect and all of a sudden your car is connected directly to the internet and you car's IP address, then you are accessible from any computer in the world," said Williams. We have networked all of these things and now they are remotely attackable."
The question is: how can smart car owners better prepare against potential cyber-attacks? It's important to keep software in a vehicles' system up-to-date. But this process isn't always straight forward. Williams says some companies roll out wireless updates, but most do not. An example of this is how Fiat Chrysler has a downloadable patch that can fix the vulnerability discovered in its vehicles, but owners must install the update via a SUB drive or visit a local dealership to have it installed.
"In a lot of ways, consumers are helpless in this situation," says Williams. "There's really not a lot that you can do to truly secure your car because you don't have visibility into your software or how it is produced. The only power that consumers have is really the power of the purse, and consumers can reward vendors who are open about security and being transparent about the security they provide in their product."