- Jul 18, 2014
Auto industry continues to grapple with challenges of cyber threats
A telephone is not a telephone. It's a computer that makes phone calls. A refrigerator is not a refrigerator. It's a computer that keeps food cold. And a car is no longer a car. It's a computer with wheels and an engine.
A car is no longer a car. It's a computer with wheels and an engine.
Everyday items are no longer what we think they are, and we need to rethink those objects to help keep them secure, says a leading security expert. That includes the millions of new vehicles now being sold in dealerships across the United States.
Today's new cars come equipped with dozens of microcomputers connected by a network and run everything from infotainment systems to the engine itself. New technology has provided advancements in fuel economy, comfort and safety. But it comes at a price. Like any other computer system, the units inside our cars are vulnerable. Hackers can infiltrate these systems. Once they're inside, they can do anything from steal your data to control your car.
Automakers were slow to realize these growing risks, says Bruce Schneier, chief technology officer of Co3 Systems and a fellow at Harvard's Berkman Center, but they've better responded to these potential threats in recent years.
Schneier spoke at the Battelle CyberAuto Challenge, a week-long gathering of industry leaders, researchers and students pioneering automotive cyber security held in the greater Detroit area.
Progress has been made, yet he said there are still dangers on the horizon. He foresees more complexity and potential dangers ahead as more connected cars reach the road and the US transitions to a traffic system in which vehicles talk both with each other and infrastructure. By 2017, industry analysts expect 60 percent of new cars around the world will contain connected capabilities.
By 2017, industry analysts expect 60 percent of new cars around the world will contain connected capabilities.
"They're taking this seriously, and that's good, but we have a long way to go," Schneier tells Autoblog. "They last thing you want is for someone to hack into your computer and make your brakes stop working. As people have demonstrated, it's just like hacking into an email. It's no different. It's a question of whether you type the 'stop email' command or the 'kill the guy' command."
Hackers Can Control Cars
Although there are no documented cyber car attacks in the real world, studies have shown that cars can be hacked. In 2011, researchers at the University of Washington and California-San Diego teamed up to hack into a vehicle and disable its brakes, selectively brake individual wheels on command and stop the engine. The report noted the 'fragility' of the underlying system.
Last year, researchers at IOActive, a global computer security firm, breached network security in a Ford Escape and Toyota Prius. From the rear seats, they controlled every conceivable function of the cars, manipulating the steering, throttle inputs and dashboard indications. Together, the two studies are seen as big warnings for the industry.
Industry Wants OEMs To Share Data
Earlier this month, Delphi, Battelle, the Alliance of Automobile Manufacturers and the Association of Global Automakers created a coalition to address issues as they arise, and stressed that OEMs need to share information about potential cyber threats.
"Despite the absence of reported cybersecurity incidents affecting vehicles on the road to date, we are taking action to prepare for possible future threats," Mitch Bainwol, president of the Alliance of Automobile Manufacturers, wrote in a letter to the National Highway Traffic Safety Administration.
OEMs need to share information about potential cyber threats.
Battelle, a national nonprofit research organization that melds business and scientific interests, wants to address those concerns. High-school and college students at the CyberAuto Challenge have been probing the potential attack surfaces and entry points of cars this week. Battelle asked them to sign non-disclosure agreements before participating so they couldn't speak in specifics about their experience. But what they have experienced has left an impression.
"With a car, you can do some things that are scary and exciting at the same time," said Keimmie Booth, a student from the University of Baltimore.
Future Systems Based On Cooperation
Going forward, Schneier said the problems automakers face are both mundane and frightening. One of the biggest challenges is the lifecycle of vehicles – the average American car on the road today is 11.4 years old, according to Polk Automotive data. Computers, of course, have a much shorter lifecycle.
"If I gave you a 15-year-old computer, it would be horribly insecure, and we don't really know how to deal with that yet," he said. "In a lot of ways, the auto industry is like the computer industry 15 years ago. It hasn't fully realized what it means to try and keep a computer secure. You get updates once a month for Windows. Do you have to get that for your car? Probably."
The average American car on the road today is 11.4 years old.
As the federal government partners with researchers in creating a traffic environment based on cars connected to each other and infrastructure like traffic lights, the implications for holes in that security become more ominous. Part of those preparations, Schneier says, must include how to detect and counter unwelcome intruders.
"How do we deal with a system that's based on cooperation that has an uncooperative element," he said. "How do you deal with a rogue car, when someone hacks into a car and puts in the Knight Rider mods? ... At lot of this is bigger than cars, but cars make it real and visceral."