Earlier this summer, a pair of hackers took control of a moving Jeep Cherokee as a Wired magazine reporter drove the vehicle at 70 mph, 10 miles away. The hackers ran the vehicle’s air conditioning, radio, windshield wipers, brakes and steering – all via laptop, by infiltrating the vehicle’s Internet-connected infotainment system.
In response, Fiat Chrysler posted an urgent security patch on its website, and recalled 1.4 million of its 2013 to 2015 model-year vehicles to install the protective software. And the National Highway Traffic Safety Administration launched an investigation of Harman Kardon, maker of the Jeep UConnect system and similar systems for other automakers.
For the auto industry, the hack, the recall and NHTSA’s investigation offer a glimpse of a potential future for the so-called connected car.
Linked Up, Wide Open
One part of that future is already here.“Cars are computers now,” said Mark Rosekind, NHTSA’s administrator, during a news conference following the incidents. “They have been for a while.”
A lot of cars already are equipped with wireless connectivity, whether it’s Bluetooth that enables the car to communicate with a smartphone, or Wi-Fi, which connects mobile communication devices with the Internet, and the trend is accelerating. That technology figures to expand.
By 2022, more than 82 million cars globally will be connected to the Web – triple the number today – according to the international research firm IHS Automotive.
But the technologies that let cars hook up with phones and tablets also make them vulnerable.
Vehicles are “a collection of computers that are interfacing,” said Matt Clemens, a senior engineer with Arxan, a cybersecurity company that specializes in preventing reverse engineering and tampering of software that operates everything from military equipment to cars.
“What will be very important is the ability for newer vehicles to have their software securely and safely updated remotely, so you don’t have to go through what Jeep is going through, which is a huge recall which is costing them a lot of money.”
Concern over the Jeep hack was compounded by a cyberattack of GM’s On-Star infotainment system a week later, which “just highlights the number of points of entry” for hackers, Rosekind said.
So far, consumer advocates say public safety is not at widespread risk. But the cybersecurity of connected cars is raising concerns among people who make and drive vehicles.
“For several years now, car companies have been adding software and computer and Internet capabilities to their automobiles, but they may not have been putting the same level of care into the security,” said Kurt Opsahl, deputy executive director of the Electronic Frontier Foundation, a nonprofit civil rights group in San Francisco that represents the security research community.
“Cars are really just an example of issues arising from the Internet of Things, where more and more objects are being connected,” Opsahl added.
Bug Bounties
Many of the EFF’s clients are so-called red team analysts like the Jeep hackers – teams of IT specialists who pretend to be adversarial when they attempt to hack companies’ computer systems in an effort to expose, and hopefully repair, flaws before they become a bigger problem.“It’s often more effective to have a group outside of the organization attempt to defeat your security because they will be most similar to an actual malicious attacker,” Opsahl said.
Technology companies, including Google, have long offered these “bug bounties,” which reward hackers with thousands of dollars to find vulnerabilities. But with automakers increasingly morphing into technology companies themselves, they too are beginning to offer them.
Tesla, the Palo Alto-based maker of electric vehicles, encourages people outside the company to attempt to find vulnerabilities in its systems, said spokeswoman Alexis Georgeson.
While Tesla does not provide vehicles for its bug bounties, or disclose how much it might pay, the company’s website details its security vulnerability reporting policy.
Among other things, Tesla offers a dedicated email address through which people can report “legitimate” flaws, offering the assurance that it will not take legal action against the reporting party as long as that person follows certain guidelines.
The site even has a Tesla Security Research Hall of Fame that acknowledges their efforts by name; 24 people are listed.
General Motors, which is advertising its new Chevrolet lineup by flaunting its 4G Wi-Fi capability, found its Internet capability exploited this month, following a hacker’s report that he could access its OnStar RemoteLink app to locate, unlock and remotely start GM vehicles.
GM says it has since fixed the vulnerability, but the incident highlights the ever-evolving nature of automotive cybersecurity.
Despite its participation in collaborative computer programming conferences known as hackathons and its status as the first automaker to appoint a chief product cybersecurity officer in September 2014, General Motors was still susceptible to a hack, as are all automakers building Internet-enabled vehicles.
In its effort to improve on that front, GM is similar to many car companies in that it is taking a multidisciplinary approach, working with security experts inside and outside of the company and with the industry as a whole, said spokeswoman Rebecca White.
The company uses a global team that works “with researchers, security solution providers, educational institutions, and aerospace and defense organizations to leverage their expertise to minimize the risk of unauthorized access to vehicles and customer data,” she said.
Ford Motor Co., which uses a different communications and entertainment architecture than Fiat Chrysler and General Motors, “invests in security solutions that are built into the product from the outset,” said company spokesman Alan Hall.
“Our security team has developed hardware and software safeguards, as well as specific processes to help mitigate remote access risks in all our vehicles, whether they feature embedded cellular connections or not,” he said.
Recognizing that vehicle infotainment systems are the most vulnerable to attack, BMW uses something called transport encryption to protect data as it travels over a wireless communication network. The company also segregates infotainment functions from safety features, according to BMW spokesman Dave Buchko.
The company routinely performs security penetration tests both in-house and with independent institutes.
Driving Forward
If cars are vulnerable now, when their internal technologies can hook up with phones, tablets and laptops, what happens when cars can hook up with one another?“As you open up any kind of vehicle-to-vehicle content, that makes it eminently more vulnerable because you have to be able to talk to the other car, which opens a channel for someone else to act like another car and tell you erroneous data,” said John Mendel, executive vice president of American Honda in Torrance.
It is a “huge issue,” Mendel added. “It’s as big a safety issue as any other cybersecurity issue and an increasingly large threat for the auto industry.”
It’s possible the industry will fight the problem by taking it public.
In their news conference following the GM incident, NHTSA officials called on the auto industry to work with the federal government to address the threat of automotive cyberattacks.
An industry trade group, the Alliance of Auto Manufacturers, already is working to establish an information sharing and analysis center for automakers to determine digital threats and vulnerabilities.
The center is expected to be operational later this year.
Late last month, U.S. Sens. Edward J. Markey, D-Mass., and Richard Blumenthal, D-Conn., introduced the Security and Privacy in Your Car Act to set federal standards to secure cars while also protecting drivers’ privacy.
Rosekind, of NHTSA, suggested laws of some sort will be needed to protect consumers from auto-related hacks.
“Whether it happens again tomorrow or a month from now or a year from now, it doesn’t matter. These are areas we have to address.
“Everybody’s been saying ‘cybersecurity,’” he added. “Now, you have to step up.”
©2015 The Press-Enterprise (Riverside, Calif.). Distributed by Tribune Content Agency, LLC.
