It’s 2020 and, as you start your premium family saloon for the morning commute, something is wrong. The 20in touchscreen is dead. Suddenly it flickers into life but instead of the usual map there’s a message: “Your car’s computer has been locked. We control your data, brakes and steering. To unlock your computer you’re obliged to pay a fine of $200.”
You’re not alone. As one of 8.6 million connected cars in the UK (up from a mere 1.8 million in 2016) that are capable of vital wireless internet updates and diagnosis – and now destructive malware – you are one of many getting their first taste of auto ransomware.
“It might sound like fantasy but this could happen,” says Alex Moiseev, managing director of the European arm of software security specialist Kaspersky Lab, as he sits in his hi-tech Paddington office. “It happens with desk computers now. It’s just a question of time before the bad guys move into your car, too.”
The F1 connection
Moiseev should know. Kaspersky is contracted by Ferrari F1 which, at each race, relies on hundreds of sensors to provide thousands of data points in real-time – monitoring tyre pressure, fuel burn efficiency, brake force and so on – that are wired to laptops scrutinised by race engineers. It’s Moiseev’s job to ensure not a single kilobyte of top-secret data is infiltrated.
For while F1 connectivity gives engineers a competitive edge, the introduction of so much wireless data has created a minefield, too, potentially jeopardising production-line security, the company’s internet provider and even the driver’s safety.
On a race weekend alone, says Moiseev, there’s a notable increase in malware traffic, so protecting systems and data has never been more important, especially as, in common with other manufacturers, today’s race car wizardry is tomorrow’s road-car driver safety aid.
The shocking ease with which a car’s computers can be hijacked was graphically illustrated last year when US hackers remotely took control of a Chrysler Jeep’s core functions – including brakes, wipers steering and transmission – during a dramatic filmed stunt.
It’s the very scenario that rival software security firm SQS is now hired by leading motor manufacturers to prevent. To date, says Stephen Morrow, its head of security services, cybercrime has resulted largely in legal exposure and asset theft for firms such as online shopping giant Home Depot and Sony Pictures Entertainment, which suffered major hacks last year. Soon, he predicts, attacks will move into the automotive arena, with potentially catastrophic results.
“Nobody is getting hurt yet, but as we start putting software in cars that are connected by internet, we are getting to the point where computer security intersects with public safety and human life. This is where things get much more serious,” he says. “Recent stunt hacks demonstrate that these vulnerabilities affect safety. Manufacturers need to get on top of things and take security much more seriously.”
Moiseev says the global motor industry got off to a very slow start. “It did not take cybercrime seriously enough – until recently,” he says. “For years automotive firms bought open-source software to run the 40-60 computers now controlling functions in the average car. Who vetted the people who wrote the codes? What bugs already lie dormant in our vehicles, waiting to be manipulated?”
Fortunately for motorists, the fightback has begun. Moiseev painstakingly created a Ferrari race simulator complete with pitwall at Paddington which, when driven, is searingly lifelike. Technicians use it to attack-test Ferrari’s telematics, seeking – and remedying – weak points to keep race and road cars safe. He says such procedures are now becoming commonplace across the industry.
In a closely guarded backroom – spurred by a monitor dramatically identifying real-time global cyber threats – technicians write new, bulletproof, codes for clients’ in-car computers.
Asked if it was doing enough to protect drivers’ safety, the Society of Motor Manufacturers and Traders (SMMT) told us: “Vehicle manufacturers are investing billions of pounds to make cars safer and more intelligent. Data security is paramount to the automotive industry. Manufacturers are always striving to stay one step ahead of organised criminals and constantly monitor for potential breaches so that customers’ information is kept safe.”
Last year the government weighed in, too, launching the Centre for Connected and Autonomous Vehicles which, this year, asked IT firms to bid for a £40,000 contract to investigate automotive cyber-attacks.
Auto cybercrime has also become a hot topic at top-level security conferences where leading experts, meeting in locations including Michigan, Detroit, San Francisco, Detroit and Shanghai in the past year, exchange intelligence.
But when will the industry’s luck run out?
The SMMT says more than 1.5 million UK motorists per year now leave showrooms in cars featuring self-activating safety systems. More than half of new cars registered in 2015 had safety-enhancing collision warning systems, with other technologies such as adaptive cruise control, autonomous emergency braking and blind spot monitoring surging in popularity. All rely on computers.
Statistics portal Statista predicts UK connected car take-up will increase from 1.8 million for 2016 to nearly 8.6 million by 2020. Worldwide, the number will rise to 160 million.
Carsten Maple, professor of cyber systems engineering at Warwick University, says: “Make no mistake, cyber security is a Tier One threat for the government, up there with terrorism and pandemics. Imagine if you had a major incident where all these autonomous vehicles stopped or crashed into each other. It’s possible.
“Let’s say I was a criminal. Would I say, ‘Give me £100 and I’ll unlock your car’ or, if there’s lots of data in your car, connected to your phone, with details of where you went and who you spoke to, would I blackmail you instead? Even though it has not happened yet, there is a concern it might.”
Andrew Miller, chief technical officer at Thatcham Research, which conducts electronic risk assessments on every new car brought to the UK market, says: “We have connected vehicles now, many using a non-removable e-sim to connect, or wireless device, or your phone. It’s an amazingly complex area allowing one computer to speak to another, and delivering major benefits. It’s also an emerging risk – and with more connected vehicles, that risk will increase for motorists.
“When this risk will really emerge is the moot point: no one really knows. But the opportunity to fight back is right now.”