Hot wheels hacked: How automakers are securing connected cars
What happens when a car is increasingly connected to the networks and technologies that connect other devices?
In a not-too-distant future, cars would not only connect to wireless networks but also communicate with each other on the road, helping onboard computers navigate all obstacles the way humans do.
It’s a futuristic outlook that comes with new cybersecurity challenges for the industries involved. The threat of someone hacking a vehicle to wreak havoc is something out of a Hollywood action movie, yet vulnerabilities already exist. Computerized vehicle functions have largely been standard for some time, and in-car infotainment is increasing their connectivity, which may leave them open to attack.
How does car-hacking happen?
This is the world that Alissa Knight lives in; she’s a hacker and researcher who has been helping the auto industry test and prepare for such a scenario.
“We're going to hit an inflection point where buyers are going to be more concerned about their car’s cybersecurity,” says Knight, a senior analyst at Aite Group, in an interview with Futurithmic.
“In speaking at conferences about how to hack cars — that you can take control of the steering wheel remotely over the internet, or that you can push the brakes and hit the gas remotely — it’s amazing to me that a lot of consumers still don't know this is a thing.”
One incident did gain some headlines in 2015 when hackers took control of a Chrysler Jeep, which ended up in a ditch. It was an ethical hack meant to highlight vulnerabilities in the company’s Uconnect infotainment system, and though no one was hurt, the damage was done in other ways. Chrysler issued a recall for 1.4 million vehicles to patch the security threat.
SIM cards are now common fixtures in vehicles because they enable automakers to update software over the air, rather than forcing owners to manually update them at a dealership. Sometimes, those SIMs also provide the signal for in-car Wi-Fi hotspots. Hackers could potentially exploit them.
Knight refers to the Jeep hack as “sophisticated,” and that only capable people with know-how would be able to replicate it under current conditions. “You need somebody that knows what a CAN bus (controller area network) and telematics control unit is, what cam signals are — it's not something [unskilled hackers] are going to be able to pull off, which is probably why it's not so prevalent. But I think that will change if history has ever taught us anything about malware,” she says.
For the time being, known hacks have been more ad hoc vehicle-to-vehicle scenarios that are harder to detect. Vehicles are often hacked today for theft and chip-tuning reasons using more rudimentary exploits, says Colin Bird-Martinez, a senior auto tech analyst with global research firm IHS Markit.
“Mechanics often know how to use an OBD-II (on-board diagnostics) reprogramming scan tool, where proper OEM-accredited (original equipment manufacturer) tools contain keys to bypass the firewall to reprogram engine control units (ECUs) in the car,” says Bird-Martinez. “Besides thieves, OBD-II is only currently used for hacking purposes among performance tuners who gain access to the vehicle’s security system to bypass and reprogram the fuel map. Con artists use it to roll back the odometer.”
Automakers, suppliers, organizations and governments are concerned with fleet-wide cybersecurity threats when those vehicles are networked together via telematics, modems or the vehicle-to-everything (V2X) protocol cars will presumably use in the near future to communicate over a 5G network.
Trying to stay a step ahead, automakers have established cybersecurity departments, working to include engineering, development and validation processes for new vehicles to include defense.
“Automakers used to retrofit cybersecurity software solutions onto existing systems once a flaw was discovered, which is not the best way to go,” he says. “They also created ‘bug bounty’ programs to incentivize altruistic hackers to find exploits and disclose them to the automaker for compensation. Now, they’re helping set up information-sharing organizations that also work with governments across the globe.”
GM has followed a similar path, claiming to be the first major automaker to create a team of experts focused on cybersecurity protections within the company, including a bug bounty program open to ethical hackers.
Currently, GM also chairs the Auto-ISAC (Automotive Information Sharing and Analysis Centre), a consortium of private and public sector partners who share and analyze emerging threats targeting the auto industry.
Its Super Cruise semi-autonomous driving mode, currently available on 2018, 2019 and 2020 models of the Cadillac CT6, allows the vehicle to drive itself on supported highways in Canada and the United States. It could be a target for cyberattackers, but Cadillac opted instead to roll out a new security-centric digital platform for the 2020 CT5, which it plans to include in the Corvette and remaining models leading up to 2023.
“We have in place a security vulnerability disclosure program and partner with organizations like HackerOne,” says Chad Lyons, GM communications spokesman. “We see this as an additional tool to stay ahead of threats, and we also formed a small, elite internal penetration-testing team whose sole purpose is to work to find vulnerabilities in any of our products.”
Knight believes most drivers don’t realize that vehicles are a “hodgepodge of over 100 manufacturers” of different devices, parts and cables. While she lauds automakers’ efforts to undertake defensive strategies, she feels suppliers also have to be part of the solution.
“I’ve been in penetration tests with automakers where we couldn't get our hands on third-party code to analyze it because they weren't willing to be involved in the test, and the automakers couldn't do anything about it,” she says. “It is changing, though. OEMs I’ve been working with will now issue a request for proposal (RFP) to anyone they source tech from, requiring a penetration test that produces a report showing vulnerabilities they identified, how they categorized them, and which ones they remediated.”
She considers a connected car a “network on wheels” that will include telecom and IT infrastructure to ensure its security moving forward: “You don’t have to be driving a Tesla to be vulnerable because cars today are basically rolling computers.”