Just how scared is the auto industry that your car’s computer system could be hacked and your auto turned into a deadly weapon?
In an unusual announcement, 15 carmakers, comprising 98 percent of the vehicles now on the road, said they’ve joined forces in the Automotive Information Sharing and Analysis Center (Auto-ISAC) to hold a “hacking attack drill” on July 21. Its purpose: to fight cyberinvaders who could literally take control of your steering wheel and use your vehicle to commit mayhem, or simply steal the information contained in the estimated 70 computer systems in a modern car and use it against you.
Thus far carmakers have been lucky. At least, luckier than major retailers that have had customer credit card accounts hacked, hospitals that have had to pay ransomware in bitcoin to regain control of their computers and even law-enforcement units that have been spoofed out of their data.
But carmakers realize that as their vehicles became computers on wheels, their luck won’t last. And hackers who recently took control of a Jeep Cherokee on CBS’ 60 Minutes through its Wi-Fi connection proved it. “The so-called attack surface of connected vehicles is expanding,” said Tom Stricker, Auto-ISAC chairman and a vice president of Toyota North America.
“The auto industry had to get out in front of this before an attack,” said Jon Allen, acting executive director of Auto-ISAC. “As cars become more complicated and more connected, they will become more attractive to bad guys.”
Those bad guys include criminal organizations in Eastern Europe, rogue states and terrorists. The scenarios being discussed range from doomsday, such as a truck being taken over and driven into a crowd (hardly a far-fetched scenario anymore), to selling and buying car owners’ information on the “dark web,” said Allen.
Stricker and Allen said they had just completed their “war games” focused on any outsider trying to manipulate a vehicle in any way. Virtually every carmaker — and 10 auto equipment suppliers — participated. That’s because cybersecurity features should be integrated during the product-development process rather than being add-ons, they said. And vulnerabilities in the supply chain can be exploited as easily as the car itself.
“I’m amazed at how fast the industry has moved on this,” said Allen, a cybersecurity expert and principal at the consulting firm Booz Allen Hamilton. “Normally automakers are highly competitive, but they see that an attack on one is an attack on all.”
Stricker and Allen didn’t give specifics on how the auto industry plans to fight attackers. “We don’t comment on specific vulnerabilities,” said Stricker. But in broad strokes it involves building an “immune system” where any cyberthreat is immediately communicated to all members through a private Internet portal.
The entire industry will then put its computer experts on the job to defend against the threat, make sure it’s neutralized and doesn’t happen elsewhere in the industry. That will include attending auto-specific hackathons and other cybersecurity events such as DEF CON and Black Hat conferences.
The Auto-ISAC began operation only in July of last year, but at least 50 experts have put in more than 800 hours of preparation for these war games. The organization is working on developing secure hardware and software and responding to hacking attacks.
Stricker and Allen realize that nothing is totally secure and that hackers are constantly going to probe for vulnerabilities in an arms race against the auto industry and others. But by sharing information immediately, they’re confident they can develop industrywide countermeasures “in real time” with a best-practices playbook.
“But it’s not an industry standard,” said Allen. “It’s a living document. We’ll have to move along as the technology moves along.”