Hackers may have a new target in their sights—one that’s just as central to everyday life as computers are.
As vehicles fill up with more digital controls and internet-connected devices, they’re becoming more vulnerable to cybercriminals, who can hack into those systems just like they can attack computers. Almost any digitally connected device in a car could become an entry point to the vehicle’s central communications network, opening a door for hackers to potentially take control by, for instance, disabling the engine or brakes.
There have been only a handful of successful hacks on vehicles so far, carried out mostly to demonstrate potential weaknesses—such as shutting down moving a car and taking control of another’s steering. But security experts paint a grim picture of what might lie ahead. They see a growing threat from malicious hackers who access cars remotely and keep their doors locked until a ransom is paid. Cybercriminals also could steal personal and financial data that cars are starting to collect about owners.
Or they might get even more ambitious. Some experts warn of a day when millions of fully internet-connected vehicles will be at risk of being hijacked remotely. A mass hack could be catastrophic for the self-driving cars of the future, especially if those cars don’t have steering wheels or other backup systems to let drivers take manual control.
Now the auto industry and lawmakers are rushing to meet these threats. Congress is proposing new standards that car companies must meet to guard against cyberattacks. Car makers are beefing up their software to make their vehicles tougher to hack, as well as reaching out to benevolent hackers to help them identify potential security flaws.
While there are disagreements among manufacturers and security experts about the exact magnitude of the possible threats, there is a widespread consensus that action is needed immediately to minimize risks.
Cyberintrusions have given auto makers a “wake-up call” over the past five years, says Phil Jansen, Fiat Chrysler ’s vice president for North American product development. “It has caused us to rethink how we set up architectures” for vehicle electronics.
The new vulnerability comes as auto makers are increasingly using software to control features and functions that have long been dominated by hardware, such as braking, gear shifting and throttle control. It represents a seminal break from the mechanical hydraulic systems of the recent past, one that began with the introduction of electronically controlled fuel injection in the late 1960s.
“Software is rapidly replacing hardware,” says Colin Bird, a senior automotive industry analyst at IHS Markit Ltd. “More than 50% of a car’s value today is defined by software, and that is continuing to increase.”
The digital features go far beyond rudimentary diagnostic monitoring systems standard in most cars on the road. Newer cars have modems enabling internet connectivity; today, these are used mostly used for entertainment, but they are fast evolving into portals for software upgrades of critical systems and for sending data to cloud-computing networks.
Even older models can be retrofitted with Wi-Fi routers and Bluetooth modules that create wireless networks in and around a car, enabling drivers to do things like answer phones hands-free, determine how many miles are left in the tank before the next refill and stream videos to the children in back seats.
Cybersecurity experts say this has made cars far more like personal computers, with all the vulnerability that comes with that. Yet until recently, network security was largely treated as an afterthought—the systems were designed to give auto mechanics access to a car’s functions, not fend off criminal hackers.
A handful of widely publicized attacks has demonstrated that vulnerability, including a 2014 incident involving a Jeep Cherokee. Hackers looking to point out potential vulnerabilities found a password to a Wi-Fi hot spot and cellular connections used in the Jeep’s central display and entertainment system. From there, they accessed the car’s internal computer network and took control of functions ranging from the door locks and window wipers to electronically assisted steering. That prompted the recall of 1.4 million vehicles by Fiat Chrysler Automobiles , and served as a warning to the industry that car networks are no longer islands unto themselves.
Earlier this year, researchers at Argus Cyber Security Ltd. remotely shut down a car’s engine using a Bluetooth-enabled device that monitors engine performance and downloads vehicle data, made by German auto-parts supplier Robert Bosch GmbH. The company says the device was in limited distribution and that it immediately sent out a patch to fix the flaw. Separately, Bosch said this month that it has developed an encrypted standard for over-the-air software upgrades in vehicles.
Last month, cyber sleuths at security provider Trend Micro Inc. disclosed a flaw in almost all cars from the past 30 years that makes any number of safety features—such as anti-lock brakes—vulnerable to attack. First, however, hackers need to gain access to a car’s internal communication network by compromising a device connected to it, such as a smartphone or USB adapters. But once inside, researchers found they could shut down critical systems relatively easily by mimicking—or spoofing—error messages on the central communications network standard in most cars.
No simple fix
“There’s no simple fix,” says Mark Nunnikhoven, vice president of cloud-computing research at Trend Micro. “This kind of internal network was never meant to be connected the way it is now.”
Another immediate concern for safety experts is customer data. Auto makers are setting up cars to collect and transmit a wealth of detailed information such as the auto’s location, speed and even the driver’s alertness—in other words, how, where and in what condition someone drives. Industry officials say car makers are preparing to roll out connectivity packages allowing owners to interact with service providers and, for example, make purchases by credit card from the car while on the road.
All of which could make that information a hacking target for spam-based marketers or thieves looking to hijack people’s credit cards or blackmail them using personal information about their whereabouts or state of health.
Privacy advocates say more safeguards are needed to make it harder for other people to get personal information about drivers—whether the disclosures are authorized or not.
“Cars are for many Americans their second home. I don’t think I’m exaggerating when I say that probably most of us have danced in our car, cried in our car, and we’ve yelled in the privacy of our car,” says Joe Jerome, a lawyer with the Center for Democracy and Technology a Washington, D.C.-based nonprofit advocacy group. “A lot of this technology sort of changes that dynamic.”
But the really serious threats, security experts say, lie a few years ahead, as internet-connected networks spread across car makes and models. For instance, hackers might lock the doors of an entire model line, extorting the auto maker to allow it to regain access.
“It is just a matter of time before large-scale attacks occur” on automobiles, Miroslav Pajic, Duke University assistant professor of electrical and computer engineering, said at a June conference on connected cars co-sponsored by the National Highway Traffic Safety Administration and the Federal Trade Commission.
Elon Musk, the chief executive of electric car-company Tesla Inc., highlighted the danger in a July speech to a gathering of state governors in Rhode Island. Predicting almost all new cars will have fully autonomous driving capability within a decade, Mr. Musk said that could prompt a “fleetwide hack.”
In the wake of the recent incidents involving security flaws, and the threat of more, the government is starting to weigh in. Last year, the FBI issued a statement warning the public about the risks of car hacks. A proposed bill that passed the House of Representatives this month and is now headed to the Senate would require auto makers to appoint cybersecurity officers and implement plans “for detecting and responding to cyberattacks, unauthorized intrusions and false and spurious messages or vehicle control commands.”
Hoping to stave off regulatory action, 14 major auto makers created a forum two years ago, known as the Automotive Information Sharing and Analysis Center, or Auto ISAC, to act as a clearinghouse for industry best practices. The group says it will hold its first summit in December.
Meanwhile, two leading auto-maker trade groups have spelled out privacy principles regarding personal data to give owners more options, such as providing an ability to opt out of services that share data on location and other metrics, and adding protections for owners who opt in.
Car markers are also working to fortify their connected systems. They’re patching flaws in software as they become aware of them, and beefing up security so that spoofed, or fake, messages can be identified and stopped, or stymied if they get past defenses. For instance, car engines might not obey a command to “start and accelerate” unless air-bag sensors in the car confirmed someone is in the driver’s seat.
General Motors Co. , the largest U.S. auto maker, set up a dedicated cybersecurity group three years ago that currently numbers 80 people. In July, GM hired two cybersecurity experts who directed the Jeep hack in 2014.
“We have re-engineered our vehicle-development process to include cybersecurity considerations from the earliest stages of vehicle design,” GM’s chief cybersecurity officer, Jeff Massimilla, told a conference on connected cars in June.
Last year, Fiat Chrysler set up a “bug bounty” program to pay hackers for information on flaws that could allow unauthorized access, but the company won’t say if that has identified any vulnerabilities. Ford Motor Co. and other global auto makers also have active programs to counter vehicle hacking.
What level of threat?
For now, analysts inside and outside the auto industry agree the systemic risk to cars is limited. Most attacks have been contained to a specific vehicle, and usually require close physical proximity and an intimate knowledge of which connectivity technology is being used. All of the known penetrations of vehicles were orchestrated by cybersecurity experts for demonstration purposes.
These “white hat” hackers are more interested in exposing auto makers’ vulnerability and hubris than causing any harm to drivers. And even “black hat” hackers may be more of a nuisance than a danger, doing things like disabling a rear camera or erasing a digital-music library.
Security officials say criminal hackers are more likely to remain focused on targets such as financial institutions that can be penetrated remotely, at greater scale and for some sort of financial payoff.
And some auto-industry representatives say the threat of systemic hacks is overblown, noting that so far there has never been a successful “commercial hack” by criminal groups.
“Yes, it provides some potential vulnerabilities,” Dave Schwietert, executive vice president of the Alliance of Automobile Manufacturers, an industry lobby, said at the June conference in Washington. But “the benefits, we believe, far outweigh the downside risks.”
Consumers are willing to accept that trade-off when it comes to smartphones and other connected devices, and cars are the next logical frontier for the internet to conquer. But as those connections to the outside world proliferate, so does the potential for exposure to bad actors, says Craig Smith, research director of transportation security at Rapid7 Inc., a Boston-based security-data and analytics firm, and author of a guide for penetration testers, “The Car Hacker’s Handbook.”
“There’s always a bug you’re not aware of, so you’re not going to be able to avoid penetration at every point of contact,” says Mr. Smith.