This blog will expand on themes and topics first mentioned in my book, "The Automobile and American Life." I hope to comment on recent developments in the automobile industry, reviews of my readings on the history of the automobile, drafts of my new work, contributions from friends, descriptions of the museums and car shows I attend and anything else relevant to those interested in automobiles and auto history. Copyright 2009, 2010, 2011, 2012, 2013, 2014, 2015 , 2016 by the author.
Thursday, May 5, 2016
What if someone hacked your car? From The cipher Brief
Everyone knows that they need to protect their computers from hackers, but have you ever considered what would happen if someone hacked your car? Automakers are incorporating ever more networked computer systems into their products, and this is beginning to create a new set of vulnerabilities with potentially far reaching consequences.
The increasing network connectivity within modern cars provides a host of useful capabilities that make drivers’ lives easier. Bluetooth and cellular network integration allow for the seamless use of phones –including Internet access and apps – without compromising safety while driving. Satellite radio connections provide a wide array of entertainment options. The benefits of GPS are more or less self-evident. But this connectivity is not solely focused on these external, driver-oriented systems. Cars also have networked systems that influence or monitor steering, braking, and engine function.
In addition, efforts are currently underway to improve and expand vehicle to vehicle (V2V) and vehicle to infrastructure (V2I) communications capabilities. V2V systems would allow cars to communicate their position, speed, and direction to one another at close range, thus enabling them to warn drivers about potential collisions. V2I are similar but would allow for communication with sensors along the roads themselves. While this could provide a safety function, it could also help to mitigate traffic, decrease emissions, and optimize fuel consumption for drivers.
Ideally, the sum total of all the systems would be a connected car that is safer, more efficient, and more pleasant to drive. But we do not live in an ideal world, and any capability which enables a car to communicate also opens it up to attack from malicious hackers.
The nightmare scenario here involves hackers seizing control of a vehicle while it is in motion. Initially, this was not considered to be a credible concern by most manufacturers but that changed in the summer of 2015, when two cybersecurity researchers were able to remotely hack a Jeep and take control of its steering mechanism while it was being driven. Yoni Heilbronn of Argus Cybersecurity, which specializes in cybersecurity for vehicles, described it as “a turning point—that moment when the industry realized cyber security was not just a theoretical threat.” This event forced Fiat-Chrysler Automobiles, which manufactures Jeeps, to issue a recall of the car – at great cost to the company. Additionally, the demonstration served to make consumers more aware of how poor vehicle cybersecurity could adversely affect them, personally.
While the thought of malicious hackers steering your car into oncoming traffic is certainly both frightening and dramatic, it is still relatively unlikely. The Cipher Brief spoke with Jon Allen, of Booz Allen Hamilton, about the motivations behind car hacks. His key take-away: “The threat scenarios will vary, but stealing data is the most likely motivation.” Hacking a car requires a certain degree of sophistication and skill, and most skilled hackers are looking to make money not sow chaos. Cars are no different than any other networked device in that the most financially valuable aspect of them – for hackers at least—is the data they carry and transmit. According to Allen, hackers will “seek to take advantage of this irresistible mix of personal, payment, and behavioral data that our connected cars increasingly collect.”
The Jeep hack served as a wake-up call to the entire automotive industry, making it clear that their products had a hole in their security that could have enormous consequences. Heilbronn told The Cipher Brief that “the Jeep case was especially far-reaching because of the potential threat to consumer safety the event implied in addition to the onerous financial and reputational damages it caused.” However, the auto industry has been providing a robust response to this emerging threat. For example, it formed the Automotive Information Sharing and Research Center (ISAC) as a means of improving cyber-threat information sharing across the industry. Many other sectors have also formed ISACs, and they appear to be a helpful mechanism for improving cybersecurity postures across a given industry.
Additionally, the auto industry is not starting from scratch in terms of learning how to address cyber-threats. Cybersecurity for vehicles is relatively new, but cybersecurity in general has been progressing smoothly for many years, and the auto industry can learn from the experiences of other industries and companies in order to better organize their own cybersecurity strategies. Thus far, automakers appear to have been proactive about engaging with the cybersecurity community in order to achieve this goal.
That being said, maintaining a strong security posture will require a continuous focus on emerging cyber-threats – as cars are only going to grow more connected over time, and hackers are only going to become more sophisticated. Cybersecurity is always a bit of a Red Queen problem, in which one must keep running just to stay in one place. Hopefully the auto industry will be able to run faster than the hackers.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.