• United States



Senior Reporter

Should you worry that your car will be hacked?

Mar 23, 20166 mins
Consumer ElectronicsSecurity

The FBI's warning is likely directed more at carmakers than drivers

The federal government’s warning last week about cybersecurity vulnerabilities in vehicles is a well-intentioned public service announcement that has little value for consumers.

The warning noted the highly publicized wireless vehicle hack of a Chrysler Jeep Cherokee last July, where two security experts demonstrated they could control critical functions of the vehicle. The revelation lead to Chrysler recalling 1.4 million vehicles to update software.

[ REMEMBER:  Hackers remotely take control of Jeep  ]

And now the FBI and the National Highway Traffic Safety Administration (NHTSA) warned on Thursday that the rising use of computers in vehicles poses increasing risks of cyberattacks.

Among other suggestions, the joint advisory from the FBI and the NHTSA recommended drivers to keep their vehicle’s software up to date.

The public bulletin stated it’s important that consumers and manufacturers are aware of the possible threats and explained how an attacker may seek to remotely exploit vulnerabilities in the future. “Third-party aftermarket devices with Internet or cellular access plugged into diagnostic ports could also introduce wireless vulnerabilities,” the bulletin stated.

However, the advice provided by the FBI and the NHTSA, though well intended, is overly ambitious for the average driver, according to Michela Menting, digital security research director at ABI Research.

“Recommendations prompting drivers to keep their vehicle software up to date seems rather optimistic, and suggesting they download the software updates and install it themselves is hazardous at best,” Menting said in an email reply to Computerworld.

While the PSA offers a “note of caution” about the possibility of criminals creating malware-infected updates, the idea that drivers will be any more savvy than the average computer user in discerning genuine updates or even legitimate manufacturer websites is ill-judged, Menting added.

Given the rather nascent nature of automotive cybersecurity, it should “undoubtedly” be left in the hands of carmakers and their resellers for the immediate future, Menting said. Consumers should simply contact their auto dealers if they have any concerns that their vehicles may have been hacked or are vulnerable to an attack.

Consumers, however, should stay informed about the capabilities of their cars, just as they would about most connected devices they own — from PCs to smartphones to smart home appliances — especially considering that vehicles are much a more complex and “dangerous tool,” Menting said.

“So it is perhaps even more important to understand the risks,” he added.

Egil Juliussen, director of research at IHS Automotive Technology, said other than gaining notoriety, there really isn’t much of an incentive for hackers to break into your vehicle’s electronic systems.

In fact, the only business case for hackers to break into a vehicle is to extort money from owners or automakers. “They have to earn money on it; otherwise, it doesn’t pay for them to do it,” Juliussen said.

For example, last year the PC industry was hit with a rash of ransomeware attacks. The two most prominent attacks were Crowti (also known as Cryptowall), and FakeBsod; they were detected on more than 850,000 PCs running Microsoft security software between June and November 2015. Ransomware can prevent users from accessing OSes, encrypt files so users cannot access them and stop certain apps from running, such as a web browser. The hackers demanded money in exchange for giving control and data back to users.

The only other reason a hacker would wirelessly attack a vehicle, Juliussen said, is to prove his or her skill. Juliussen said the FBI/NHTSA notice is a great idea for educating consumers about the potential hazards associated with increasingly electronic vehicles, but the bulletin is more likely to have a bigger impact on the automakers — a virtual warning shot across the bow of the industry.

In 2013, the NHTSA warned cybersecurity should be essential to the public acceptance of new vehicle systems.

“With FBI coming in on it, it’s another stake in the ground,” Juliussen said. “In some ways raises the stakes for the auto industry — for people who might sue, lawyers can say the industry was warned in 2016.”

Over-the-air software updates to the rescue

One potential way to address vehicle cybersecurity is through over-the-air software updates, the same technique your your smartphone or computer can protect themselves frome the newest threats.

Carmakers are increasing the ability to perform over-the-air (OTA) software updates through infotainment or telematics systems in current and next-generation vehicles. Virtually every request for proposal for infotainment system software that has come out over the past six months has contained a cybersecurity aspect, Juliussen added.

By 2022, there will be 203 million vehicles on the road that can receive software over-the-air (SOTA) upgrades. Among those vehicles, at least 22 million will also be able to get firmware upgrades, according to a new report by ABI Research.

ABI Research expects approximately 625 million consumer vehicles will be sold between 2016 and 2022. So, the percentage of OTA-enabled vehicles across the 2016 to 2022 timeframe would be 32% of the total sold.

In 2014, General Motors started its own cybersecurity group, HackerOne, a company that connects companies with security researchers.

Last year, two major U.S. auto trade associations opened an Information Sharing and Analysis Center. The organization will help to share cyber-threat information as well as potential vehicle vulnerabilities.

Also last year, after the Chrysler Jeep Cherokee hack, companies that provide cybersecurity software and services — such as Cisco — have seen an increase in interest by automakers, according to Egil Juliussen, director Research at IHS Automotive Technology.

“If you talk to [them], they’ll tell you they’ve got a big uptick in business coming in as consultants are assessing the software code and systems,” Juliussen said. “The auto industry really doesn’t have much built into the car today to add cybersecurity. After the Jeep incident, they really started to take this seriously.”

While the auto industry increased its focus on cybersecurity, Menting said it still hasn’t done enough.

“While cybersecurity is a mature and well-established discipline in the IT industry, the auto industry has been lax in applying similar practices,” Menting said. “I do think the potential harm that can occur — notably in terms of human safety — is a critical element that will trigger investment and R&D by [vehicle makers] into offering cybersecurity solutions sooner rather than later.”