GM invites hackers to try and hack their vehicles to test their defenses.
As more and more cars become internet-connected, or even self-driving, cybersecurity is going to be more important than ever.
And the stakes are higher than ever before — because unlike most traditional hacks, people’s lives are stake.
One morning, in the not-too-distant future, you’re in a rush to go to work — but when you put the keys in the ignition, your shiny new car doesn’t start.
Instead, a message flashes on the dashboard screen: You’ve been hacked. Pay the hacker $500 (£407) within 24 hours, or you’re locked out of your vehicle permanently. It’s outrageous extortion, but you can’t afford to miss this morning’s meeting, so you grit your teeth and pay.
This is a futuristic twist on ransomware, a nasty type of malware that encrypts the victim’s data and demands a bounty if they ever want to see their files back. It’s a fast-growing, highly lucrative business, estimated to cost as much as $1 billion (£814 million) a year in ransoms and damages.
And many security experts believe that as cars come online and autonomous vehicles hit the streets, they could become the next frontier for cyber-extortion and other forms of hacking.
“It doesn’t take a great leap of faith,” Raj Samani, chief technology officer of Intel Security EMEA, said. “You can’t afford not to be able to use your vehicle … there’s certain things that we take as essential to our work lives, our lives as parents, and things like that, we’re going to do what it takes.”
Ethical hackers can find problems that traditional employees might miss
China Photos/Getty ImagesThe automotive industry isn’t asleep to the threat posed by car hacking. Over the last year or so, security researchers have made frequent headlines by targeting internet-connected vehicles, probing them for vulnerabilities and seeing what they can pull off.
In one high-profile incident, hackers killed a jeep’s transmission as it was traveling at 70 miles per hour down the highway with Wired journalist Andy Greenberg inside it.
So when researchers successfully target a vehicle or automotive company, it can make for some alarming headlines. But the companies generally don’t get angry. In fact, they welcome it.
Third-party researchers “provide us a unique perspective,” Jeff Massimilla, chief product cybersecurity officer for auto company GM, told Business Insider at the Mobile World Congress tech conference in Barcelona in February.
Contracted security firms — as well as GM’s internal team — are usually “trained to look at it one specific way.” As a result, they can miss things — whereas freelance researchers and “ethical hackers” can bring diverse viewpoints, and find vulnerabilities others might not think to look for.
GM’s approach is by no means unique — most major tech companies operate some kind of vulnerability disclosure program that welcomes public submissions (so long as they abide by certain ethical standards). The 108-year-old car company works with Hacker One, an organization that connects companies to researchers and provides a platform for disclosing risks.
Some companies even offer “bug bounties” — paying researchers when they discover vulnerabilities in their platforms — but GM hasn’t gone down this route. “Our public program is coordinated disclosure, it’s the ‘welcome mat,’ and we provide credit to the researchers,” Massimilla said. The company does plan to offer private bounties, via Hacker One, to select researchers in the future.
Since the program’s launch a year ago, it has had hundreds of submissions, the executive said.
When it comes to cars, the stakes are far higher
Bill Pugliano/Getty ImagesIf the security team at a social network misses something, worst case scenario, a whole lot of user data and financial information might get stolen. It’s damaging — potentially company-ending — but not the end of the world.
When it comes to protecting connected cars, the stakes are far higher.
“A computer, a laptop, or a phone doesn’t necessarily travel down the road and carry your loved ones, right?” Massimilla said.
If GM finds a vulnerability in one of its connected vehicles, what does it do? The response “can be anything from patches to software, all the way to cutting the connection to vehicles if we felt we had an imminent danger for our customers.”
Vulnerability submissions aren’t the only way GM security-tests its vehicles, of course. Massimilla’s team works throughout the development of a vehicle to try and make sure it is secure, and it also has a “red team” that fulfills a similar function to ethical hackers in-house. And the executive is also the vice-chairman of the Auto ISAC, an industry body that shares information on security issues among its members.
Massimilla wouldn’t discuss the nature of the vulnerabilities it has seen, whether submitted by ethical hackers or found in-house. But he did confirm that GM is looking at the risks of ransomware, among other threats.
“That is a very logical criminal behavior … it’s absolutely something that we, along with many other things, [see] as what we are trying to protect against in the vehicle.”
Car hacking is worrying — but the alternative could be worse
The threat posed by car hacking is worrying — but Intel’s Raj Samani argues that there’s a more worrying possibility. “The biggest risk is that we don’t have self-driving cars. We need better tech in cars,” because it’s going to be safe than that crazy taxi driver that knocked me down,” referring to how he was hit by a car in Brussels last year.
“But if people lose trust in self-driving cars or connected cars because there is vulnerability, because there is ransomware, because they suck up all your privacy and sell it off to third-parties, then they’re not going to go out and buy connected cars.”
Self-driving cars could save tens of thousands of lives every year — but not if people turn against the tech because of security fears before it ever hits the road.