Connected cars are becoming increasingly common, with connected car shipments expected to hit 64 million units by 2019. However, some fear that internet-capable vehicles may be vulnerable to cyberattacks. With the risk amplified in automated cars, is connected car hacking something we need to worry about?
At present. most new vehicles are ‘connected’; fitted with some form of in-vehicle communications or internet access.
However, just as with any device that is connected to an external network, the more tech that goes into cars, the more opportunities there are for hackers.
Connected cars have been the victim of hacks for over a decade
Connected car hacking is nothing new, with hackers identifying them as a potential target as early as 2002. In 2005, non-profit organisation Trifinite developed a tool called Car Whisperer that allowed people to transmit or record audio from passing cars with unconnected Bluetooth hands-free units.
In 2010, a hacker was able to gain control of 100 cars in Austin, Texas, shutting down the vehicles and sounding their horns.
In 2015, two hackers remotely gained control of a Jeep Cherokee, leading to Fiat Chrysler recalling 1.4 million vehicles.
In 2017, Chinese security researchers from Tencent demonstrated that they were able to hack a Tesla Model X, turning on the breaks and locking and unlocking the doors.
Like any connected device, there is a risk of hacking
Although the majority of the hacks mentioned above were carried out by hackers looking to demonstrate vulnerabilities in the vehicle’s security, hacks of a malicious nature pose a real risk.
From accessing personal data and stealing cars that use keyless entry to taking control of the car’s breaks or steering, connected car hacking, particularly involving driverless vehicles, could have a life-threatening impact.
In 2016, a security firm from Norway demonstrated just how easy it is to hack a connected car by unlocking and stealing a Tesla Model S car using Tesla Motor’s Android smartphone app.
ERM Advanced Telematics believes that cyber and ransomware attacks are one of the most serious threats to connected cars.
“Ransomware attacks are emerging as some of the most serious cyber risks with which connected cars must withstand. During a ransomware attack on a connected car, hackers remotely connect to the car, damage or lock it, and demand that the owner pay them ransom to resume its proper operation,” the company said in a press release.
According to the Irdeto Global Connected Car Survey published in 2017, consumers’ concern about the security of connected cars may discourage them from buying one, with 85% of respondents said that they believe that a connected car is liable to be a target for a cyberattack.
Preventing connected car hacking
Although it is impossible to entirely protect anything that is connected to the internet from a security breach, Tesla, Fiat Chrysler and GM have all invested in improving defence of their connected cars, hiring cyber experts in the process.
Security companies are developing software to keep up with the changing capabilities of connected cars and the security risks that this brings. Rather than being bolted on, manufacturers are increasingly recognising that that cybersecurity needs to be part of a connected car’s core functionality. Companies are now developing integrated hardware-software product that protects vehicles against ransomware and other cyberattacks.
According to hackers Kevin Mahaffey and Marc Rogers, there are three key things that can be done to lower the risk of cybersecurity attacks.
Firstly, over-the-air update systems, the wireless delivery of new software or data to a device, mean that cars do not need to be recalled every time a security vulnerability is found, and also mean that drivers do not have to take cars to mechanics to have their security updated.
The separation of drive and non-drive systems is also crucial. A drive system is any part of the car responsible for motion, and a non-drive system is any other element in the car responsible for other things such as navigation or entertainment. The two must be kept separate so that if one aspect is hacked, there is less chance of it affecting the other.
Furthermore, individual components of the car must be secured separately so that if one system is compromised, the hacker will not automatically have access to other parts.
Legislation may also ensure that manufacturers incorporate built-in cybersecurity into vehicles. In 2017, the UK Government issued guidance to ensure that smart vehicles are equipped with cyber protections to help eliminate hacking.
In 2015, two US senators introduced legislation that requires connected cars sold in the US to meet certain security standards.