The effects of a breach of a car, or fleet, could be devastating. Auto manufacturers and suppliers have aggressive plans, and a lot of firewalls.
By Eric A. Taub, THE NEW YORK TIMES
March 18, 2021
In your garage or driveway sits a machine with more lines of code than a modern passenger jet. Today’s cars and trucks, with an internet link, can report the weather, pay for gas, find a parking spot, route around traffic jams and tune in to radio stations from around the world. Soon they’ll speak to one another, alert you to sales as you pass your favorite stores, and one day they’ll even drive themselves.
While consumers may love the features, hackers may love them even more. And that’s keeping many in the auto industry awake at night, worried about how they can stay one step (or two or three) ahead of those who could eventually play havoc with the world’s private transport systems.
Hackers seemingly can’t wait for the opportunity to commandeer vehicles. In 2019, the automotive cybersecurity company Karamba Security posted a fake vehicle electronic control unit online. In under three days, 25,000 breach attempts were made, and one succeeded.
The best-known vehicle takeover occurred in 2015 when security researchers on a laptop 10 miles away caused a Jeep Cherokee to lose power, change its radio station, turn on the windshield wipers and blast cold air. Jeep’s parent company, FCA, recalled 1.4 million vehicles to fix the vulnerability.
Today, the effects of a breach could range from mildly annoying to catastrophic. A hacker could steal a driver’s personal data or eavesdrop on phone conversations. Nefarious code inserted into one of a vehicle’s electronic control units could cause it to suddenly speed up, shut down or lose braking power.
A fleet of cars could be commandeered and made to steer erratically, potentially causing a major accident. A hacked electric vehicle could shut down the power grid once the car was charging. Even altering a street sign in ways imperceptible to the eye can trick a car into misperceiving a stop sign as a speed limit sign.
And last year, Consumer Watchdog, a nonprofit group in Santa Monica, Calif., sent a “!Hacked!” message to the screen of a Tesla.
The problem goes beyond demonstration intrusions. Karamba has been working with a South American trucking company whose fleet was hacked to hide it from its tracking system, allowing thieves to steal its cargo unnoticed. And a quick internet search will reveal scores of successful but so far benign hacks against many of the world’s major automotive brands.
“To take control of a vehicle’s direction and speed: This is what everyone in the industry is worried about,” said Ami Dotan, Karamba’s chief executive. “And everyone is aware this could happen.”
The challenge may be even greater than securing the world’s airlines. According to a McKinsey & Company report on automotive cybersecurity, modern vehicles employ around 150 electronic control units and about 100 million lines of code; by 2030, with the advent of autonomous driving features and so-called vehicle-to-vehicle communication, the number of lines of code may triple.
Compare that with a modern passenger jet with just 15 million lines of code, or a mass-market PC operating system with around 40 million lines of code, and the complexities become clear.
Vehicle manufacturers understand that a successful hack that caused death or destruction could be a major blow. “The incentive to prevent a giant malicious attack is huge,” said Gundbert Scherf, a McKinsey partner and an author of the report.
And with drivers believing that their vehicles are the ultimate private cocoon, even a benign attack, such as an unexpected message on a car’s infotainment screen, could easily cause a major public relations problem.
Cybersecurity companies must protect a vehicle in multiple ways. Threats include SIM cards carrying malicious code, faked over-the-air software updates, code sent from a smartphone to the vehicle, and vehicle sensors and cameras being tricked with wrong information.
In addition, malicious code can be introduced through dongles connected to a vehicle’s computer port, commonly called the OBD-II port, typically under the steering wheel and used for vehicle diagnostics and tracking.
Trucking fleets are even more at risk, said Moshe Shlisel, chief executive of GuardKnox Cyber Technologies. An entire fleet could be shut down or otherwise compromised for a ransom, he said.
“Our biggest worry is the hacking of a fleet,” said Ronen Smoly, chief of Argus Cyber Security, a division of the auto supplier Continental. “Most serious hackers come from well-funded groups working for long periods of time.”
Mr. Shlisel said: “It’s just a matter of time before a major hack happens. The most secure vehicle is a Model T Ford, because it’s not connected to anything.”
Over-the-air updates can patch software vulnerabilities in modern cars, but the industry aims to protect electronic systems before that happens — including systems most exposed to the outside world, such as audio, navigation and phone systems. To protect them and more sensitive systems, safety measures are being taken along every step of the manufacturing chain, from software to hardware design.
Major software and hardware suppliers to the world’s manufacturers build in firewalls to ensure that such elements as infotainment systems are prevented from passing code to systems that regulate speed, steering and other critical functions.
Vehicle electronic control units are being designed to send an alert if one system that normally never communicates with another suddenly tries to do so. And they’re also locked down, so that an attempt to inject new code will be thwarted.
“Human life is involved, so cybersecurity is our top priority,” said Kevin Tierney, General Motors’ vice president for global cybersecurity. The company, which has 90 engineers working full time on cybersecurity, practices what it calls “defense in depth,” removing unneeded software and creating rules that allow vehicle systems to communicate with one another only when necessary.
It’s a practice also followed by Volkswagen, said Maj-Britt Peters, a spokeswoman for the company’s software and technology group. She noted that Volkswagen’s sensitive vehicle control systems are kept in separate domains.
Continental, a major supplier of electronic parts to automakers, employs an intrusion detection and prevention system to thwart attacks. “If the throttle position sensor is talking to the airbag, that is not planned,” Mr. Smoly said. “We can stop this, but we wouldn’t do so while the vehicle was moving.”
Still, determined hackers will eventually find a way in. To date, vehicle cybersecurity has been a patchwork effort, with no international standards or regulations. But that is about to change.
This year, a United Nations regulation on vehicle cybersecurity came into force, obligating manufacturers to perform various risk assessments and report on intrusion attempts to certify cybersecurity readiness. The regulation will take effect for all vehicles sold in Europe from July 2024 and in Japan and South Korea in 2022.
While the United States is not among the 54 signatories, vehicles sold in America aren’t likely to be built to meet different cybersecurity standards from those in cars sold elsewhere, and vice versa.
“The U.N. regulation is a global standard, and we have to meet global standards,” Mr. Tierney of G.M. said.
And last month, the National Highway Traffic Safety Administration issued a request for comment on a proposed new draft of a cybersecurity best-practices recommendation, an update of a 2016 report.
It’s even possible that future window stickers on new cars may point out that a vehicle meets cybersecurity standards. “We should rate vehicles for cybersecurity, the same way we rate them for crash protection,” said Jason K. Levine, executive director of the Center for Auto Safety.
All of which raises a question: If the U.S. government could not prevent Russia from hacking into its computers, can vehicle manufacturers do a better job?
“I’m very used to the doom-and-gloom narrative, and I would caution against it,” Mr. Scherf of McKinsey said. “We still have enough time to shape the narrative.”