Japan Inc. Gets Serious about Cybersecurity

TOKYO — Long before last year’s remote highway hacking of a Jeep Cherokee triggered the recall of 1.4 million Fiat Chrysler vehicles, it was the Toyota Prius under hack attack.

In that 2013 case, the same meddlesome computer whizzes who commandeered the Jeep — Charlie Miller and Chris Valasek — pranked a Prius driver from a backseat laptop, honking the horn, flipping the fuel gauge, spoofing the speedometer, even wresting control of the wheel.

Three years later, Toyota Motor Corp. and the rest of Japan’s carmakers are still seen as slow to adapt to the vulnerabilities of connected cars. But with the advent of autonomous driving just over the horizon, Japan Inc. is finally getting serious about cybersecurity.

Japanese automakers may take an important step as early as next year through the creation of a mutual support group for sharing information about hacks and data breaches. They are considering such a self-help group under the auspices of the Japan Automobile Manufacturers Association, hoping it will speed identifying threats and help keep bad guys at bay.

But even that may be a case of better late than never.

The industry in the U.S. formed a similar group last year, the Automotive Information Sharing and Analysis Center. And Europe has been working on shared cybersecurity standards since 2010 through the Germany-based Autosar, the Automotive Open System Architecture partnership.

“Everyone says that Japan is behind Europe and the U.S. But now we are catching up,” said Koji Hirabayashi, manager for electronic architecture development at Toyota and head of the information security committee at Japan Automotive Software Platform and Architecture, a group of 157 Japanese automakers, suppliers, software and electronics companies.

Japan aims to be on the same level with the U.S. and Europe by 2020, he said.

The country has a big reason to rush. Tokyo will host the Summer Olympics that year, and the government and the country’s automakers aim to use the games as a showcase for their progress in self-driving cars and connected vehicles. The last thing they want is humiliation on the global stage at the hands of hackers hunting security holes.

There was no shortage of horror stories at a recent Encrypted Security in Cars conference in Tokyo. Software engineers and executives from Japan’s top automakers and suppliers were schooled on what can go wrong. And they witnessed first-hand as computer pros competed to crack a car’s instrument cluster signals in Japan’s first-ever automotive hack-a-thon.

Hackers can get into car computers through a variety of spots, either through hard connections such as the OBD-II port or USB ports, or through Internet and Bluetooth links.

Last year, about one-third of all new cars had Internet connectivity. By 2020, more than three-quarters will, said Mike Ahmadi, director of systems security at Synopsys Inc.’s software integrity group and chairman of the Society of Automotive Engineers’ cybersecurity assurance testing task force. Many automakers are still blind to the changes coming, he said.

“I don’t think they fully understand the impact yet,” Ahmadi said. “They are working very hard, but I’ve seen companies that are literally doing nothing, automotive manufacturers.”

The Japanese especially, he said, have been conservative in rolling out defenses.

“The Japanese seem to be very interested,” he said. “The thing about the Japanese, though, is they take a lot of time analyzing things before they make a decision.”

Almost universally, Japan’s carmakers decline to comment on specifics about their anti-hacking measures. That would tip their hand to the wrong people, they say.

Honda Motor Co. and Subaru-maker Fuji Heavy Industries say they have no knowledge of hacking attacks against their vehicles. Mazda Motor Corp. declined to comment.

Meanwhile, Nissan Motor Co. says it has fixed a hole in its NissanConnect EV app.

That app was designed to allow drivers of the Nissan Leaf electric vehicle to control the car’s heating and cooling over the phone. But Nissan had to disable it in February after hackers found a way to adjust the climate control and view the driving histories of other people’s Leafs.

The Leaf could soon be in the headlines again.

In Tokyo, Marc Rogers, a so-called white hat benign hacker who is the principal security researcher at Cloudflare, presented on how he and a partner found vulnerabilities in the computers of the Tesla Model S. They worked with the U.S. electric car manufacturer to solve the problems and went public in 2015.

Rogers’ latest project: the Leaf. He said he has been fiddling with the car for about a year and will approach Nissan to privately discuss his findings once he finishes.

Regarding the Prius hack, a Toyota spokesman said it was important to note that the attack “required a physical presence inside the vehicle, partial disassembly of the instrument panel as well as a hard-wired connection, all of which would be obvious to the driver.”

More pressing, Toyota said, are attacks from outside the vehicle.

“Toyota has developed very strict and effective firewall technology against such remote and wireless services,” the spokesman said. “We believe our electronic control systems are robust and secure and we will continue to rigorously test and improve them.”

Toyota declined to say whether it was aware of any other hack. In the meantime, the carmaker said, it is taking part in Japanese discussions for an industrywide approach here.

Even though Japanese automakers can participate in overseas industry groups, such as Auto-ISAC, Toyota’s Hirabayashi said Japan needs its own association.

“Is information from North America sufficient if we are going to manufacture in Japan? There are regional features unique to Japan,” he said, adding that security measures are a “totally non-competitive domain” where manufacturers need to band together.

“It’s a chicken and egg problem. Even if an auto manufacturer takes countermeasures, hackers find gaps in the systems,” he said. “We need to collaborate.”


Leave a Reply