Car manufacturers have been bruised from recent hacking conferences. Digital security is not something they have historically had to deal with, so it’s not surprising they are experiencing a few (rough) bumps in the road. No security system is ever perfect, but some of the glaring flaws found in a number of cars and Internet of Things (IoT) devices is a little worrying. As more and more cars and other devices start connecting to the internet and each other the security challenge is only getting bigger.
Driverless cars are almost with us but, as we put our lives in the hands of the car, potential security threats start to look very scary. After the discovery of fundamental flaws in one of its systems, Fiat Chrysler recalled 1.5 million vehicles, but some worry that the stunt by Wired Magazine has done more to damage the relationship between the security research field and car companies.
Car manufacturers and other IoT vendors are not used to working with the cyber security community and may already be a little suspicious. Volkswagen even sought to prevent vulnerability information from being published. Things are changing and many companies are starting to take more notice. Tesla are even encouraging researchers to expose more flaws with a bounty and Uber has just hired the two hackers who exposed the Fiat Chrysler flaw. The more of this that happens the better.
Mobile apps and cloud services represent a particularly vulnerable element in the connected ecosystem. Access to vehicles has been gained through mobile apps for BMW, Mercedes-Benz and Fiat Chrysler cars and cloud services present another potentially easy way in. It is attacks through connected car services like Fiat Chrysler’s Uconnect that allow hackers to gain access to the car from any secure internet connection. 3G and 4G connections are notoriously difficult to secure and are easy to take control of.
Internal security is also part of the issue. The ease with which you can go from connecting to the car to controlling different elements like the brakes or acceleration is part of the problem. In most cars these elements are not fully connected, providing some incidental security and preventing hackers from accessing some of the vital car operations. It’s not just about gaining control of the car either, a hacker could use any unwanted access to gain information from the car about where it is, what it’s doing and even personal information.
Driverless cars will run on many more software systems all directly connected to the important bits of the car. Reliance on more external sensors will open up new vulnerabilities. Someone may not even need to hack into the car directly, they may be able to cause as much damage simply by blocking the car’s sensors or flooding it with miss information. LiDAR sensors that the LUTZ pathfinder pods, Google’s driverless car and many other AVs rely on can be easily tricked into thinking there are objects in the way when they don’t actually exist.
In any computer system as the number of lines of code goes up so do the number of bugs that can be exploited. At the moment the newest cars on the market operate with around 100 million lines of code, but truly autonomous cars will have several magnitudes more than this to operate. The number of critical systems will also increase, it would only take one operation to fail or be disrupted for a fatal accident to happen.
“Cybercrime is a business after all and if there isn’t a profit to be made through hacking cars, people won’t do it.”
How worried should you be?
I would say worried and vocal enough to make sure the situation changes and the sector matures but you shouldn’t be losing sleep over it. Cybercrime is a business after all and if there isn’t a profit to be made through hacking cars, people won’t do it. At the moment there seems to little financial motivation which is good news. That’s not to say a few people won’t try to cause disruption simply because they can, but the greater the obstacles and better the fail-safes the less likely it is to happen.
In the end if someone really wants to take control of your connected car and has the means, they probably will. Equally if someone wants to cut your brakes they can. The only difference is now someone might be able to do it from anywhere in the world rather than having to get their hands dirty.
Perhaps a more attractive target for hackers is accessing data through the car, particularly personal information that could either be sold or used to turn a profit in some other way. How car manufacturers respond to security and software issues will decide how much trust customers place in connected – if they get it wrong it won’t be good for a driverless car revolution.
This post was written by Nesta, the UK’s innovation charity. Harry Armstrong is a Senior Researcher in the organisation’s policy and research team.