As 250 million cars are predicated to be fully wired by 2020, experts warn that our vehicles may be our most vulnerable (and deadly) cyber threat.
Andy Greenberg, tech writer at Wired Magazine, got a driver’s eye view of what a moving hack looks like. As he ambled about in Jeep Cherokee at 70KMH, a cyber exploit schooled him on the deadly consequences of the Internet of Things (IoT) in all things vehicular. “Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass,” he narrates of the experience. “Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.” Indeed, his education by Charlie Miller and Chris Valasek, Zero Day Attack specialists working in the automotive sector, proved the poignant message all too well. We’re moving from hacks that threaten data to hacks that—in this extreme scenario—threaten life. Experts are talking about the car being this generation’s greatest security threat, IoT or otherwise.
It’s easy to see why. The car is an environment ripe for exploits as it increasingly becomes connected as well as massive in scope, a market that Gartner predicts to reach a quarter of a billion connected vehicles by 2020. Deloitte, in an exhaustive report on IoT in the automotive industry, predicted “We expect the impacts on the industry to be transformational, not incremental.” Naturally the telemetry of cars, using onboard navigation systems, is well known and of course creates a privacy opportunity to be exploited from various directions. But as cars become enabled through LANs and WiFi, streaming data into onboard and infotainment systems, having the engine and drive train communicate to system services and monitoring based in the cloud, their vulnerability increases dramatically as more and more vehicles go online and beyond simple data breaches. The US Department of Transportation’s (DOT) National Highway Traffic Safety Administration (NHTSA) announced plans to enable vehicle-to-vehicle (V2V) communication for light vehicles. This technology is designed to allow vehicles to “talk” to each other—exchanging speed, position, and other safety data up to 10 times per second—to avoid crashes. But it’s one that is open to data interception as well. As the above scenario shows, the control of the car comes into question and it moves from nuisance to dangerous. Ransomware your car to the point that you break down on the highway? Exploit onboard screens that you’ve used for banking or social networking for identity theft? Or—more malevolently—a social malcontent can attack the vehicle and cause an accident. And of course terrorist attacks are possible in this scenario.
“The power struggle between automakers and software developers is a symptom of the ongoing transformation, like birth pangs as the industry reinvents itself.”
New industry groups such as SWRI’s Automotive Consortium for Embedded Security, the SAE Vehicle Electrical System Security Committee, the US Council for Automotive Research’s (USCAR) Cyber/Physical Systems Task Force, and the Automotive Industry Information Sharing and Analysis Capability (ISAC) are taking action, organizing to prevent these scenarios. Craig Smith, author of The Car Hacker’s Handbook and founder of OpenGarages, believes that one of the major requirements for the connected car industry is an easy way to update systems over the air and with a greater frequency. “Being able to regularly push out fixes will go a long way in maintaining secure IoT systems,” says Smith. But others have questioned how motivated the automotive industry is in implementing these update protocols considering the frequent need for updates and keeping APIs robust. The conversation between the software architects and the car makers remains disparate. “The power struggle between automakers and software developers is a symptom of the ongoing transformation, like birth pangs as the industry reinvents itself. We are moving from an age of products to an age of services and experiences, from hardware to software, from functionality to information as the key object of value creation, and from industry silos to intricately connected ecosystems and value loops,” experts Simon Ninan, Bharath Gangula and team have said in their report on IoT automotive, Who owns the road? The IoT-connected car of today—and tomorrow. As the road fills with more and more online cars, including fully autonomous ones, the need for security to go the extra mile increases dramatically.