Most people who work within the auto industry have understood this for years, but for the broader American public not paying as close attention, three storylines emerged recently that underscored this new vehicular reality.
First, German researchers found a flaw in BMWs remote-services system that allowed them to access the telematics units in vehicles. Then, a 60 Minutes report demonstrated that researchers could remotely infiltrate a Chevy Impala and override critical functions, like acceleration and braking. Finally, a US Senator released a critical report (see video above) that found almost all automakers are unprepared to handle real-time hacks of their vehicles.
Those reports come on the heels of two previous instances in recent months when researchers demonstrated the capability to hack cars.
All this news can be disconcerting. If you're late to the concept of car-hacking and wondering how this is possible, we've got you covered. Here's your quick primer on what you need to know.
1. How Did My Car Become A Computer?
On the outside, cars haven't changed all that much over the past couple of decades years. On the inside, however, the amount of electronics and software has dramatically increased.
Most new cars contain more than 50 microprocessors known as electronic control units. These ECUs control everything from airbag deployment and navigation systems to throttle control and braking, and they're usually connected to each other on an internal network called the CAN bus.
2. What Exactly Is Car Hacking?
Depends who you ask. Automakers might consider anything that alters the car from its state of manufacture as a 'hack.' For example, if you're chipping the engine – re-calibrating those ECUs to increase your horsepower – some people might consider that a hack.
But in the context of the recent news reports, security experts are focused on unwanted, unauthorized cyber intrusions into a vehicle.
Once inside your car, prospective attacks could range from minor things like eavesdropping on conversations via an infotainment system and unlocking car doors to major concerns, like overriding driver inputs and controlling braking, steering and acceleration.
3. How Is This All Possible?
Any part of the car that communicates with the outside world, either via a remote or direct connection, is a potential entry point for hackers.
Diagnostic devices used by mechanics, dongles that plug into the OBD-II port, Bluetooth pairings and smartphone connections, even tire pressure monitoring systems have all been breached by researchers.
But the most vulnerable entry point may be the telematics unit, the computing power behind your infotainment features like smartphone integration, turn-by-turn directions, audio options and some real-time safety functions. Automakers are adding more connectivity powered by these units – see General Motors outfitting its OnStar telematics units with 4G LTE connections – which makes vehicular cyber security all the more complex.
4. What Has Happened So Far?
Researchers at the University of Washington and California-San Diego published landmark research in 2010 and 2011. In two separate studies, they demonstrated they could compromise an ordinary car, turning its engine on and off, manipulating critical systems and braking single wheels. Their work is considered the first warning sign.
In 2013, Dr. Charlie Miller and Chris Valasek demonstrated how they could manipulate critical car functions while attached to a Ford Escape and Toyota Prius. They published detailed code packets that demonstrated exactly how they exploited the cars, which angered some auto executives, but those details made the work hard to ignore.
Over the past three months, dongles that plug into a car's OBD-II port have been vulnerable. First, Israeli research firm Argus Cyber Security remotely exploited a device that provide driver feedback, and in January, researchers found a dongle that Progressive Insurance uses to collect usage-based insurance data had no security whatsoever.
Then came early February.
So far, researchers have focused on single-car attacks. Given the capability BMW showed to provide an entire fleet with over-the-air updates, that's one way a hacker could conceivably infect an entire fleet of cars with malicious software. But to be clear: that hasn't happened yet.
5. Is This Whole Car-Hacking Thing Overblown?
Well, yes. To date, there have been no known real-world incidents that have harmed unsuspecting drivers. Cyber-security experts who have hacked cars will say it's much more difficult than, say, infiltrating the likes of Target because the software is unique. And it's expensive. Break a computer while trying to exploit its software, and you're out a few hundred dollars. Break a car, and it's not easy to find a replacement. Bottom line, it would take months of time and significant money to exploit a vehicle.
And no. No matter how secure car companies and their suppliers make cars, a vehicle's security is only as strong as its weakest point. That point may be a device they have no control over – the smartphone or insurance device that you, the driver, bring into the car.
The number of connected cars is growing by the millions every year. As an earlier report from Sen. Ed Markey details, almost every automaker has no idea how it would handle a real-time infiltration. Car companies have been caught flat-footed, and now they need to catch up.
When cars start communicating with each other using the vehicle-to-vehicle communication system now being developed by the Department of Transportation, that's one more conceivable avenue a hacker could use to impact multiple cars at a given time. Bottom line, the problem is getting more complex, and the challenges presented by automotive cyber security are only in their infancy.