High-Tech Cars & Cyber Security: Separating Fact from Fiction

Imagine this scenario: As you you’re driving down the highway at 65 miles an hour, a hacker gains control of your car, then sends you into incoming traffic.

Here’s the good news: It’s very unlikely that will ever happen to you personally.

Here’s the bad news: It could still happen, and, if it happens, attackers are more likely to target millions of vehicles all at once, far more than a few vehicles one by one.

Even though the press covered such risks initially three years ago, car hacking is still so new that there's a lot of fear and misunderstanding about it. In this article we’ll delve into the real facts about it and clue you into what individuals and businesses do and don’t need to worry about.

Why Are Cars Hackable?

Why can cars be hacked? The reason is simple: They’re filled with lots of software and connectivity. Brian Witten, Head of Advanced Technologies, Office of the CTO at Symantec, notes that potential attack vectors include cellular connectivity, as well as Bluetooth, WiFi, and more.  In the United States, over a third [MOU1] of cars are already connected to the Internet.

Even if you don’t have advanced features for streaming music or traffic updates to a navigation system, your car might still be connected to the Internet for simple automatic crash notification, saving lives.

Jake Williams, founder of the cyber security firm Rendition Infosec, says, “The more networking features a car has, the more potential it has for being hacked.”

A KPMG report, “Protecting the fleet…and the car business” notes, “The average car contains more than 150 million lines of code, plus multiple individual computers and a vast number of wireless connections to internal and external channels.” It says that as a result, cars now have more code embedded in them than an F-25 fighter or a Boeing 787.

It can seem almost impossible to protect automobiles, given their complex onboard systems and the logistics and money that would be required to fix all possible holes for millions of new and existing cars. A Symantec report, “Building Comprehensive Security into Cars,” warns, “Companies often use redundancies at critical IT layers to keep high-volume web services running reliably, but few, if any, carmakers can afford the NASA-like investment of doing this for every vehicle.”

Follow the Fleet

With that in mind, let’s go back to our original scenario. Why is it unlikely that hackers will target an individual car, especially given that’s already been done when an SUV was taken over and stopped cold by hackers when it was being driven 70 miles an hour on a highway?

The reason, Witten says, is that there’s a greater economic incentive for attackers to hack fleets rather than individual cars, and in many ways it’s actually easier to hack lots of similar cars indiscriminately, rather than try to find a specific vehicle belonging to a single owner.

“It can take a few people less than a year to learn how to hack into cars,” he says. “But once you figure out how to hack into a type of car in general it's often easier to hack the whole fleet than a single car. Once you figure out how to hack one brand, you've pretty much figured out how to hack nearly any new car of that brand. And it's easier to just hack them all over the Internet than to find one that a specific person is driving.”

There are many potential incentives for hacking entire fleets. Imagine your car failing to start but displaying a number to which you need to wire money if you want your car to start.  As such “automotive ransomware” risks become more likely, not all incentives are financial.  For instance, foreign governments could do the hacking as part of a cyber attack on a nation’s basic infrastructure.

“Fleet hacking is a lot more tractable than a lot of people realize,” Witten says.

Many people agree with him. Elon Musk believes it will be a particularly serious problem when autonomous vehicles become more widespread. “I think one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack,” he said at the National Governors Association meeting last summer. The federal government has also started to take notice. The Department of Homeland Security (DHS) and the Department of Transportation (DoT) have been working on cyber security for the federal government’s fleet of vehicles.

What Can Be Done About It?

What to do if you’re worried about getting hacked? First, check to make sure that your car’s software is updated by checking with the dealer.  Many carmakers are in the process of fixing vulnerabilities in vehicle software. 

Some are able to fix those vulnerabilities with updates sent “over the air” using the cellular network, but other automakers can only fix such vulnerabilities when the vehicle is brought in for regular maintenance.

Still, with so many attack vectors, nothing is perfect.  In addition to cellular modems that are needed to save lives through Automatic Crash Notification (ACN), some of the risks to the vehicle might be in the supply chain itself.

The answer, according to Witten, is that auto makers need to recognize the dangers of fleetwide hacking, and build wide-ranging security into cars, including a comprehensive security architecture, cryptographically protecting communications into and out of automobiles, working in concert with network operators who supply cars’ connectivity, and building a vehicle security operations center where analysts can hunt security threats on at a fleetwide scale, and other systemwide protections.

“You’ve got to do all that, and also keep everything up to date, because security is never finished,” he says. “The adversary is nimble, and if you’re not agile, they are. And they’re going to eat your lunch if you’re not prepared.”

If you found this information useful, you may also enjoy:

• Building Comprehensive Security into Cars