By Chester Dawson
Hackers may have a new target in their sights—one that’s just as central to everyday life as computers are.
Our cars.
As vehicles fill up with more digital controls and internet-connected
devices, they’re becoming more vulnerable to cybercriminals, who can
hack into those systems just like they can attack computers. Almost any
digitally connected device in a car could become an entry point to the
vehicle’s central communications network, opening a door for hackers to
potentially take control by, for instance, disabling the engine or
brakes.
There have been only a handful of successful hacks on vehicles so far,
carried out mostly to demonstrate potential weaknesses—such as shutting
down moving a car and taking control of another’s steering. But security
experts paint a grim picture of what might lie ahead. They see a
growing threat from malicious hackers who access cars remotely and keep
their doors locked until a ransom is paid. Cybercriminals also could
steal personal and financial data that cars are starting to collect
about owners.
Or they might get even more ambitious. Some experts warn of a day when
millions of fully internet-connected vehicles will be at risk of being
hijacked remotely. A mass hack could be catastrophic for the
self-driving cars of the future, especially if those cars don’t have
steering wheels or other backup systems to let drivers take manual
control.
Now the auto industry and lawmakers are rushing to meet these threats.
Congress is proposing new standards that car companies must meet to
guard against cyberattacks. Car makers are beefing up their software to
make their vehicles tougher to hack, as well as reaching out to
benevolent hackers to help them identify potential security flaws.
While there are disagreements among manufacturers and security experts
about the exact magnitude of the possible threats, there is a widespread
consensus that action is needed immediately to minimize risks.
Cyberintrusions have given auto makers a “wake-up call” over the past
five years, says Phil Jansen, Fiat Chrysler ’s
FCAU
-1.14%
vice president for North American product development. “It has caused
us to rethink how we set up architectures” for vehicle electronics.
The new vulnerability comes as auto makers are increasingly using
software to control features and functions that have long been dominated
by hardware, such as braking, gear shifting and throttle control. It
represents a seminal break from the mechanical hydraulic systems of the
recent past, one that began with the introduction of electronically
controlled fuel injection in the late 1960s.
“Software is rapidly replacing hardware,” says Colin Bird, a senior
automotive industry analyst at IHS Markit Ltd.
INFO
-0.29%
“More than 50% of a car’s value today is defined by software, and that is continuing to increase.”
The digital features go far beyond rudimentary diagnostic monitoring
systems standard in most cars on the road. Newer cars have modems
enabling internet connectivity; today, these are used mostly used for
entertainment, but they are fast evolving into portals for software
upgrades of critical systems and for sending data to cloud-computing
networks.
Even older models can be retrofitted with Wi-Fi routers and Bluetooth
modules that create wireless networks in and around a car, enabling
drivers to do things like answer phones hands-free, determine how many
miles are left in the tank before the next refill and stream videos to
the children in back seats.
Cybersecurity experts say this has made cars far more like personal
computers, with all the vulnerability that comes with that. Yet until
recently, network security was largely treated as an afterthought—the
systems were designed to give auto mechanics access to a car’s
functions, not fend off criminal hackers.
A handful of widely publicized attacks has demonstrated that
vulnerability, including a 2014 incident involving a Jeep Cherokee.
Hackers looking to point out potential vulnerabilities found a password
to a Wi-Fi hot spot and cellular connections used in the Jeep’s central
display and entertainment system. From there, they accessed the car’s
internal computer network and took control of functions ranging from the
door locks and window wipers to electronically assisted steering. That
prompted the recall of 1.4 million vehicles by Fiat Chrysler
Automobiles, and served as a warning to the industry that car networks
are no longer islands unto themselves.
Earlier this year, researchers at Argus Cyber Security Ltd. remotely
shut down a car’s engine using a Bluetooth-enabled device that monitors
engine performance and downloads vehicle data, made by German auto-parts
supplier Robert Bosch GmbH. The company says the device was in limited
distribution and that it immediately sent out a patch to fix the flaw.
Separately, Bosch said recently that it has developed an encrypted
standard for over-the-air software upgrades in vehicles.
Recently, cyber sleuths at security provider Trend Micro Inc.
TMICF
-4.04%
disclosed a flaw in almost all cars from the past 30 years that makes
any number of safety features—such as anti-lock brakes—vulnerable to
attack. First, however, hackers need to gain access to a car’s internal
communication network by compromising a device connected to it, such as a
smartphone or USB adapters. But once inside, researchers found they
could shut down critical systems relatively easily by mimicking—or
spoofing—error messages on the central communications network standard
in most cars.
No simple fix
“There’s no simple fix,” says Mark Nunnikhoven, vice president of
cloud-computing research at Trend Micro. “This kind of internal network
was never meant to be connected the way it is now.”
Another immediate concern for safety experts is customer data. Auto
makers are setting up cars to collect and transmit a wealth of detailed
information such as the auto’s location, speed and even the driver’s
alertness—in other words, how, where and in what condition someone
drives. Industry officials say car makers are preparing to roll out
connectivity packages allowing owners to interact with service providers
and, for example, make purchases by credit card from the car while on
the road.
All of which could make that information a hacking target for spam-based
marketers or thieves looking to hijack people’s credit cards or
blackmail them using personal information about their whereabouts or
state of health.
Privacy advocates say more safeguards are needed to make it harder for
other people to get personal information about drivers—whether the
disclosures are authorized or not.
“Cars are for many Americans their second home. I don’t think I’m
exaggerating when I say that probably most of us have danced in our car,
cried in our car, and we’ve yelled in the privacy of our car,” says Joe
Jerome, a lawyer with the Center for Democracy and Technology a
Washington, D.C.-based nonprofit advocacy group. “A lot of this
technology sort of changes that dynamic.”
But the really serious threats, security experts say, lie a few years
ahead, as internet-connected networks spread across car makes and
models. For instance, hackers might lock the doors of an entire model
line, extorting the auto maker to allow it to regain access.
“It is just a matter of time before large-scale attacks occur” on
automobiles, Miroslav Pajic, Duke University assistant professor of
electrical and computer engineering, said at a June conference on
connected cars co-sponsored by the National Highway Traffic Safety
Administration and the Federal Trade Commission.
Elon Musk, the chief executive of electric car-company Tesla Inc.,
TSLA
-1.74%
highlighted the danger in a July speech to a gathering of state
governors in Rhode Island. Predicting almost all new cars will have
fully autonomous driving capability within a decade, Musk said that
could prompt a “fleetwide hack.”
In the wake of the recent incidents involving security flaws, and the
threat of more, the government is starting to weigh in. Last year, the
FBI issued a statement warning the public about the risks of car hacks. A
proposed bill that passed the House of Representatives recently and is
now headed to the Senate would require auto makers to appoint
cybersecurity officers and implement plans “for detecting and responding
to cyberattacks, unauthorized intrusions and false and spurious
messages or vehicle control commands.”
Hoping to stave off regulatory action, 14 major auto makers created a
forum two years ago, known as the Automotive Information Sharing and
Analysis Center, or Auto ISAC, to act as a clearinghouse for industry
best practices. The group says it will hold its first summit in
December.
Meanwhile, two leading auto-maker trade groups have spelled out privacy
principles regarding personal data to give owners more options, such as
providing an ability to opt out of services that share data on location
and other metrics, and adding protections for owners who opt in.
Car markers are also working to fortify their connected systems. They’re
patching flaws in software as they become aware of them, and beefing up
security so that spoofed, or fake, messages can be identified and
stopped, or stymied if they get past defenses. For instance, car engines
might not obey a command to “start and accelerate” unless air-bag
sensors in the car confirmed someone is in the driver’s seat.
General Motors Co.,
GM
+2.23%
the largest U.S. auto maker, set up a dedicated cybersecurity group
three years ago that currently numbers 80 people. In July, GM hired two
cybersecurity experts who directed the Jeep hack in 2014.
“We have re-engineered our vehicle-development process to include
cybersecurity considerations from the earliest stages of vehicle
design,” GM’s chief cybersecurity officer, Jeff Massimilla, told a
conference on connected cars in June.
Last year, Fiat Chrysler
FCAU
-1.14%
set up a “bug bounty” program to pay hackers for information on flaws
that could allow unauthorized access, but the company won’t say if that
has identified any vulnerabilities. Ford Motor Co.
F
+0.84%
and other global auto makers also have active programs to counter vehicle hacking.
What level of threat?
For now, analysts inside and outside the auto industry agree the
systemic risk to cars is limited. Most attacks have been contained to a
specific vehicle, and usually require close physical proximity and an
intimate knowledge of which connectivity technology is being used. All
of the known penetrations of vehicles were orchestrated by cybersecurity
experts for demonstration purposes.
These “white hat” hackers are more interested in exposing auto makers’
vulnerability and hubris than causing any harm to drivers. And even
“black hat” hackers may be more of a nuisance than a danger, doing
things like disabling a rear camera or erasing a digital-music library.
Security officials say criminal hackers are more likely to remain
focused on targets such as financial institutions that can be penetrated
remotely, at greater scale and for some sort of financial payoff.
And some auto-industry representatives say the threat of systemic hacks
is overblown, noting that so far there has never been a successful
“commercial hack” by criminal groups.
“Yes, it provides some potential vulnerabilities,” Dave Schwietert,
executive vice president of the Alliance of Automobile Manufacturers, an
industry lobby, said at the June conference in Washington. But “the
benefits, we believe, far outweigh the downside risks.”
Consumers are willing to accept that trade-off when it comes to
smartphones and other connected devices, and cars are the next logical
frontier for the internet to conquer. But as those connections to the
outside world proliferate, so does the potential for exposure to bad
actors, says Craig Smith
No comments:
Post a Comment