Automakers and suppliers are making progress in protecting vehicles from cyber attacks, but the car-hacking threat is still real and could get increasingly serious in the future when driverless vehicles begin talking to each other.
A worst-case scenario would be hackers infiltrating a vehicle through a minor device, such as an infotainment system, then wreaking havoc by taking control of the vehicle’s door locks, brakes, engine or even semi-autonomous driving features.
Such a scenario was shown to be possible in a 2015 remote hacking demonstration involving a Jeep Cherokee that rocked the industry and prompted Fiat Chrysler Automobiles to send UBS sticks with software patches to the owners of 1.4 million cars and trucks.
A large-scale vehicle hacking resulting in death and destruction was depicted in last year’s “The Fate of the Furious” action movie.
“That’s Hollywood sensationalizing it, but that is not really that far-fetched,” said Joe Fabbre, a director with Santa Barbara, Calif.-based Green Hills Software, which makes operating systems software for vehicles with a focus on security. “There are very skilled hackers out there who can beat through a lot of medium and low levels of robustness in terms of security that is present in a lot of cars today.”
In response to the hacking threat, more vehicles are gaining the ability to wirelessly download security patches, similar to how computers and smartphones have been getting software updates for years.
These over-the-air updates allow auto companies to respond to threats – and newly discovered vulnerabilities – faster than having to direct customers to bring their vehicles to dealerships.
Automakers also have become more receptive to tips about hacking vulnerabilities coming from outside researchers, engineers or mechanics, said Beau Woods, an organizer with I Am The Cavalry, a grassroots cybersecurity organization.
In years past, well-meaning individuals who pointed out software flaws in vehicles sometimes faced cold receptions or even cease-and-desist letters, he said.
“Sometimes there is fear among automakers that if they say they accept vulnerabilities, it will encourage people to do more research and hack vehicles in the wild, which is rarely the case,” Woods said.
But attitudes have been evolving. For instance, Fiat Chrysler in 2016 partnered with a San Francisco-based company to launch a “Bug Bounty Program” that pays so-called white-hat hackers up to $1,500 each time they discover a previously unknown vulnerability in vehicle software.
The major automakers also created the Automotive Information Sharing and Analysis Center, known as Auto-ISAC, to research and discuss best practices for cyber security.
“It is a concern that all of the (automakers) are addressing,” said Faye Francy, the organization’s executive director. “They’re working at it and trying to share what they’re learning.”
So far, there have been no reported cases of real-life vehicle hackings that have resulted in crashes.
“But the research has shown that it’s possible. And I’m sure none of the (automakers) wants to be the first to test those waters,” said John Wall, senior vice president and head of BlackBerry QNX, which has beefed up the anti-hacker security in its vehicle operating software.
The potential danger of hacking could grow more serious once autonomous vehicles start hitting the roads in significant numbers in the 2020s. These driverless cars will be communicating with each other through means such as the “Cellular-Vehicle-to-Everything” system that Ford is testing with chipmaker Qualcomm.
Justin Cappos, a computer science professor at New York University’s Tanden School of Engineering, said one of the more promising ways to stay ahead of hackers is through regular over-the-air software updates to fix vulnerabilities as soon as they become known.
For example, Tesla last summer sent out updates to all Tesla Model Xs after Chinese security researchers managed to turn on a Model X’s brakes remotely and to get the doors and trunk to open and close while blinking the lights in time to music streamed from the vehicle’s audio system.
“I will say that the automotive companies have really come a long way and have made strides,” Cappos said. “But it’s really hard when you are making something as complicated as cars, and you are buying components of the cars from vendors … to get everyone to fix their security and get on the same page.”
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.