A rise in technologically advanced, connected cars have left many new models vulnerable to sopihsticated hackers. Yet, as Sotiris Kanaris found out, we are only beginning to take cyber security in our cars seriously.
In recent years, many car manufacturers have shifted their attention away from horsepower and towards offering connected and high tech features.
The new connected infotainment systems have altered drivers’ engagement with the vehicle, as they can provide – among other things – real time vehicle information, maps and weather forecasts.
However, car hacking incidents revealed the negative side of vehicle connectivity, with cybersecurity researchers – so-called white-hat hackers – being able to compromise cars wirelessly.
A researcher duo took control of a Jeep through Uconnect, the internet-connected system Fiat Chrysler Automobiles (FCA) uses for vehicle entertainment and navigation. Another researcher claimed that he could locate, unlock and remotely start General Motor’s vehicles equipped with OnStar System.
Hackers no longer need access to an entire car to find attack surfaces. Someone that knows a car’s IP address can compromise it through its cellular connection by attacking a connected component.
Research by cybersecurity firm SBD found that there are over 50 attack points in a typical connected car ecosystem.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
Despite this high number, hacking a car is extremely difficult even for researchers. Paul McEvatt, senior cyberthreat intelligence manager at Fujitsu UK, says that the process the researcher duo used to compromise the Jeep was lengthy and extremely complex. McEvatt highlights that this level of hacking is not something that non-professionals could do.
"It took them over a year looking for compromise points, such as open ports, using a cellular network," says McEvatt. "They are experts and they got it wrong a couple of times before managing
to compromise the vehicle. It certainly was not an easy thing, something that anyone can do."
To date, there has not been a public announcement of a criminally motivated cyberattack on a vehicle.
However Mike Parris, head of the secure car division at SBD, believes that the extensive media coverage of the recent vehicle hacking incidents could trigger criminally motivated attacks in the future.
Parris says that this occurred in the energy industry, following an attack on an Iranian nuclear facility, the so-called ‘Stuxnet attack’. He says that when it entered the public eye, the number of attacks in the industry increased significantly.
"As soon as hackers realised that it was possible, the number of attacks on power plants rocketed," says Parris. "We would suggest that up until now there was no reason to think about attacking a connected car. I think the automotive industry is on that curve. If it follows the same trajectory as the energy industry, it will have a big problem coming. The clock is ticking".
Parris adds that organised gangs have skilful and knowledgeable electronic engineers who are currently looking into vehicle cyberhacking.
"The big problem faced by organised gangs in stealing cars is the need to have somebody on the ground breaking into one vehicle at a time. With a cyberattack they could potentially gain access to hundreds of thousands of vehicles without having anyone on the ground. They have a motivation and they will have teams of people working on this," says Parris.
McEvatt agrees that the recent car hacking incidents will "open up people’s curiosity", but believes this research will lead to tighter controls which could make future hacking more difficult.
Director of security and product management at Tripwire Tim Erlin anticipates more cases of vehicle vulnerability in the future, calling manufacturers to pay greater attention to cybersecurity.
"The security of vehicle software is now a safety issue and manufacturers will need to adapt to treat it as such. This [software patch by FCA] won’t be the last patch we see for a car near you," says Erlin.
Challenges and costs to manufacturers
The threat of hacking poses challenges to manufacturers, as they have to increase their expense on cybersecurity technology and research.
"Car manufacturers will have to pay good security researchers to perform penetration testing to identify any vulnerabilities," said McEvatt.
A hacked vehicle could add various costs to a manufacturer, some of which could be long term.
Apart from the costs involved in creating a software patch to fix a security flaw, there might be additional costs in applying the fix.
FCA had to recall 1.4 million vehicles to fix the security flaw which the researchers exploited. The update had to be implemented via a USB or by a dealership mechanic.
Parris comments: "The cost of recall is huge. There are costs in terms of managing the message, the impact on the dealers, the cost of rolling out the millions of USB sticks and the time it takes to do this."
BMW had to fix a security flaw in one of its digital services systems – ConnectedDrive – this year after it was found that hackers could wirelessly open 2.2 million BMWs, Minis and Rolls-Royces. The company used an ‘over the air’ wireless patch, avoiding a recall.
However, senior security analyst at Tripwire Ken Westin says that in future manufacturers will have to improve their methods of updating the software, because even wireless patching could create additional vulnerabilities.
"As this is still a relatively new area of security research, we will begin to see more vulnerabilities in vehicle systems," says Westin. "Car manufacturers will need to develop safe and secure methods of updating software in these systems, either through dealerships or possibly even remotely. However the latter could introduce more vulnerabilities into these systems."
In the incidence of car hacking, the adverse publicity can have a negative effect on a car manufacturer’s brand value and inevitably sales.
Recalls and security fears prompted by a cyberattack, could affect customer retention and attraction.
Westin explains: "Over the years in automobile manufacturing there’s been a goal to build safe and reliable vehicles with a key goal to have their brand names associated with these two elements as they compete in the marketplace for sales.
"With increasingly connected and high-tech components being added to these vehicles, they will need to add security to the mix in order to retain their brand integrity. You can develop the most advanced vehicle that has all of the latest safety features and high-tech gadgets in it, but if it can be bricked by remote exploits, you are going to have wary consumers who may choose the next brand of vehicle because they put more emphasis on security."
Kelley Blue Book’s new Vehicle Hacking Vulnerability Survey reveals that a substantial portion of consumers already take car hacking into consideration when buying a car. 41% of respondents say that they’ll keep the recent hacking incidents in mind when shopping for their next vehicle.
The bad publicity could also affect the work of manufacturers’ senior managers. Parris says: "When there’s adverse publicity, a huge amount of management time and effort goes into managing the communications message. It’s a huge management distraction from activities that can generate money."
In addition, manufacturers could face lawsuits by vulnerable vehicle owners which could lead to compensation payments.
Three Jeep Cherokee owners have filed a complaint against both Fiat Chrysler Automobiles and Harman International, the maker of the Uconnect dashboard computer.
In their class action complaint, the plaintiffs accuse Chrysler and Harman of fraud, negligence and unjust enrichment.
If their complaint is certified by a court as a class action, the broad spectrum of affected Chrysler vehicles means that it could escalate into a case with more than a million potential complainants.
Commenting on the overall effect of a cyberattack on manufacturers’ costs, Parris says: "OEMs will see that they can’t afford to do nothing as they could be hit with a fall in sales, management costs and compensations. On the other hand, doing anything will cost as well. It is a challenge for them."
"Vehicle manufacturers have a culture of developing systems and cars to certain standards. At the moment there are no standards for cybersecurity in the automotive industry," says Parris.
Globally there is no legislation or industry standards on vehicle cybersecurity. In the US there has been a Bill proposed called the Security and Privacy in Your Car Act (the SPY Car Act)
According to the proposed rules, all entry points to the electronic systems of each motor vehicle manufactured for sale in the US "shall be equipped with reasonable measures to protect against hacking attacks."
In addition to the above measure, the SPY Car Act states that the manufacturer shall "incorporate isolation measures" in order to separate critical software systems from non-critical software systems.
The proposed rules also mention that a vehicle must be evaluated for security vulnerabilities following "best security practices", including appropriate applications of techniques such as penetration testing.
"Any motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle," the Bill states.
The Spy Car Act proposes rules on data security against cyberattacks. "All driving data collected by the electronic systems that are built into motor vehicles shall be reasonably secured to prevent unauthorised access," the Bill states.
Parris adds: "There’s also a move in the US to establish something called information and analysis centre which is a way of helping relevant companies share information about threats."
Can car hacking affect leasing and rental companies?
On-board diagnostics (OBD) ports are connectors within the car that allow access to the status of various subsystems.
The new version of OBD port – OBD II – has been used by service workshops to access the car’s computers and perform health checks to vehicles. Over the years a number of devices have been created which could be plugged into the OBD II and provide additional functionalities and real time information.
Fleet lessors and rental companies have been increasingly using such devices to gain information on driver behaviour and vehicle performance.
Parris says that such "aftermarket systems" tend to be less tested, unlike fixed systems which are part of vehicle testing.
He says: "There are all sorts of reasons why rental, leasing and insurance companies want to use these dongles which plug into the OBD port.
"The problem is that no one ever thought about security. A hackable dongle can weaponise a car, because through it you can do almost anything to the vehicle and compromise safety."
Earlier this year, researchers found a security flaw in Progressive Insurance’s usage-based insurance dongle, Snapshot, used in more than two million vehicles in the US.
The researchers claimed that they could gain complete control of the vehicle, through hacking this device. Parris says that it’s still uncertain who will be held responsible for a security breach through one of the dongle devices and whether lessors could be held accountable.
In the recent case against FCA, the plaintiffs represent drivers who leased vehicles as well. "Plaintiffs therefore bring this action on behalf of a proposed nationwide class of consumers who purchased or leased FCA US LLC vehicles equipped with the defective Uconnect system," the class action says.
In the damages claim, the prosecution claims that purchased, leased and retained cars with a serious defect are worth less than the ones without the defect.
"A vehicle purchased, leased, or retained under the reasonable assumption that it is safe is worth more than a vehicle known to be subject to the unreasonable risk of catastrophic accident because of defects," it adds.
The prosecutors claim that they paid more for the vehicle than they would have had if the defect was ‘disclosed by FCA’.
"Purchasers and lessees of class vehicles paid more for the class vehicles through a higher purchase price or higher lease payments than they would have had defendants disclosed the defect… Because defendants concealed the design defect, these plaintiffs did not receive the benefit of the bargain. In addition, the value of all class vehicles has diminished as the result of defendants’ deceptive conduct," the class action says.
Parris says that data security issues may also affect lessors, as people often put information into the car like an address book or phone book.
Parris asks: "When you sell the car who’s responsible for clearing down the data. Is it the owner, the OEM, the dealer or the rental or leasing company?"