Is Car Hacking the New Car Jacking?

January 5, 2017

in

Road Safety

by

Daniel Araya

Imagine one day starting your car engine and seeing the words, “You’ve been hacked!” across your dashboard. This is precisely what happened at Defcon 2015, the largest hacking conference in the world. Last year two researchers and self-described "stunt hackers" Charlie Miller and Chris Valasek, from the security consultancy IOActive and Twitter, demonstrated that hackers could wirelessly control a Chrysler Jeep.

Even though the hack could be executed remotely, it could only be fixed locally, requiring physical access to the vehicle. In response, Chrysler recalled 1.4 million cars.

<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Bye bye hack jeep.  It&#39;s been fun and sorry for what we did to you. <a href="https://t.co/5SNc3ItOwX">pic.twitter.com/5SNc3ItOwX</a></p>&mdash; Charlie Miller (@0xcharlie) <a href="https://twitter.com/0xcharlie/status/782621347146895360?ref_src=twsrc%5Etfw">October 2, 2016</a></blockquote>

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

Why is hacking such a big concern? The simple answer is that cars today now employ complex computer systems that are highly vulnerable to attack. As McKinsey points out, today’s average high-end car has roughly seven times the code of a Boeing 787.

Indeed, the most obvious difference between cars from the Industrial era and the current wave of “smart” cars is the use of digital technologies. Internet connectivity is now ubiquitous to the car industry as consumers demand Web-mediated devices and features. So much so that car hacking may well be the new car jacking.

Consider that in 2013, Volkswagen filed a lawsuit against a team of University of Birmingham researchers who discovered a vulnerability in the company’s Radio-Frequency Identification (RFID) code. Hackers could start the ignition of millions of Volkswagen cars and drive them off without a key. Volkswagen managed to delay the publication of the research for two years to manage the problem.

This year, a Chinese security team successfully hacked a Tesla Model S, demonstrating several security vulnerabilities. Researchers were able to interfere with the car’s brakes, door locks and other electronic features. The hack targeted the car’s Controller Area Network (CAN) bus. Fortunately, the team notified Tesla of the hacks, allowing the company to update and patch the holes in its software in just over a week.

<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">.Watch researchers take control of a Tesla from 12Miles away!! <a href="https://twitter.com/hashtag/IoTSec16?src=hash&amp;ref_src=twsrc%5Etfw">#IoTSec16</a> <a href="https://twitter.com/hashtag/Tesla?src=hash&amp;ref_src=twsrc%5Etfw">#Tesla</a> <a href="https://twitter.com/hashtag/Hacked?src=hash&amp;ref_src=twsrc%5Etfw">#Hacked</a> <a href="https://t.co/3WBg3HkMs6">pic.twitter.com/3WBg3HkMs6</a></p>&mdash; #MyFutureM.o.T (MFMOT) (@MyFutureMot) <a href="https://twitter.com/MyFutureMot/status/788702735759773696?ref_src=twsrc%5Etfw">October 19, 2016</a></blockquote>

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

Smart cars are particularly vulnerable and they’re getting increasing attention because of the massive disruption accompanying digital technologies. The main issue is that the underlying technology for most cars— CAN bus— is a standard developed in the 1980s. As more and more vehicles become connected to the Internet, this low-level security runs the risk of being targeted with cyber attacks.

As the art of computer hacking continues to evolve, new targets are emerging across both the public and private sectors. Gartner research, for example, estimates that worldwide information security spending has grown 7.9 percent to reach $81.6 billion this year.

And with Tesla’s electric car now merging with autonomous vehicles, the future looks increasingly “hackable”. Self-driving cars use a wide array of detection technologies including ultrasound (for determining the distance of close objects), sonar, stereo cameras, lasers, and radar.

<blockquote class="twitter-tweet" data-cards="hidden" data-lang="en"><p lang="en" dir="ltr">Tesla Model S, X and 3 will have 360-deg coverage: 8x more cameras, 40x computing power. Level 5 autononmy - <a href="https://t.co/VtFEkMvdxK">https://t.co/VtFEkMvdxK</a> <a href="https://t.co/GxP53MXOZW">pic.twitter.com/GxP53MXOZW</a></p>&mdash; TESLARATI (@Teslarati) <a href="https://twitter.com/Teslarati/status/788906634852524033?ref_src=twsrc%5Etfw">October 20, 2016</a></blockquote>

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

As the array of computers, sensors, and components required for autonomous vehicles increases, so will the software that ties it all together. And as everything from in-car Internet dashboards, driver control systems, and maintenance systems become digitized, the challenge of car hacking grows more serious.

For this reason, the newly formed Automotive Information Sharing and Analysis Center (Auto-ISAC) has recently published a best practices guideline for cyber security to “promote collaborative cyber security efforts”. While hacking a car may not be impossible, the aim is to make it as difficult as possible and to have backup systems in place.

<blockquote class="twitter-tweet" data-lang="en"><p lang="en" dir="ltr">Why is it that every headline is &#39;product X easily hacked&#39;. Hacking a car was hard. Hacking is hard. It is good that it is hard.</p>&mdash; Chris Valasek (@nudehaberdasher) <a href="https://twitter.com/nudehaberdasher/status/805419828756496384?ref_src=twsrc%5Etfw">December 4, 2016</a></blockquote>

<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

The hard reality is that next generation of cars are highly attractive targets for hackers. The problem is that the wide range of sensors that make autonomous vehicles “self-driving” can be jammed, subverted or muted. Next generation autonomous vehicles are something like iPads on wheels and this makes them especially vulnerable to hacking.

Analysts anticipate a future of widespread autonomous ridesharing. So much so that forecasts suggest that there will be as many as 10 million self-driving cars on the road by 2020. Self-driving cars could cut road deaths by 80%, but they may also make consumers particularly vulnerable to security threats.

Computers now control a wide range of automotive functions and car companies will need to become much better at integrating software security into their vehicles. Looking forward, cyber insurance is becoming a massive market, expanding from $2bn in 2015 to a predicted $7.5bn in 2020.

Of course, insurance alone won’t solve this problem. What is more likely is that many Silicon Valley tech companies will begin to morph into “mobility” companies as their expertise comes to displace traditional automakers.

To paraphrase venture capitalist Marc Andreessen, software is eating the world and car companies along with it.
Daniel Araya

Daniel Araya is a researcher and advisor to government with a special interest in technological innovation, public policy, and education. He is a a Sharing Cities Policy Fellow with Shareable and a regular contributor to various media outlets including Futurism, The Brookings Institution, and Medium.

RELATED POSTS

We’re ready to help you

GET HELP