Cybersecurity experts say there are plenty of vulnerabilities for enterprising ransom-seeking hackers, unless automakers act
The recent "WannaCry" ransomware attack that crippled computer systems around the globe has highlighted the digital vulnerabilities in our daily lives.
One you might not have considered is your car, which increasingly relies on computer chips and more than 100 million lines of computer code to operate.
The reason cars are such inviting targets for ransomware hackers is that they’re increasingly computerized. And as automakers have transferred more and more functions to processors, they've neglected to install the same levels of security found in other modern devices—such as phones and laptops.
“Once you connect the car to the internet, the entire vehicle becomes a threat surface. If the auto industry doesn’t adapt, we’ll continue to see mistakes and potential vulnerabilities for things like ransomware to take place,” says Craig Hurst, executive director of the Future of Automotive Security Technology Research ( FASTR), a nonprofit security research consortium of automakers, suppliers, and software companies.
The FBI issued a warning last year for the auto industry to be ever-vigilant about developing cybersecurity as autonomous technology advances and as cars become ever-more connected. And multiple academic and industry consortiums and partnerships, as well as for-profit corporations, are working on the concern.
One possible scenario involves hackers installing malware into a vehicle's operating system, perhaps through an unprotected internet connection, and locking out the driving functions.
A driver might find his or her car unable to start. A message pops on the control screen with instructions for how to pay a ransom to make the vehicle start again.
“Cars are becoming computers on wheels,” says Jake Fisher, director of automotive testing at Consumer Reports. “As the technologies are added, manufacturers will have to consider all the possibilities. We support the new technology, we’re just making sure that it is added in a responsible way.”
What an Attack Looks Like
Car hacking has been discussed in mostly abstract or dramatic ways: The hacker who uses a laptop to take over the driving functions of a car. That scene plays out on the big screen in the current Hollywood blockbuster “The Fate of the Furious.”
In the real world, the recent WannaCry attacks, which hit the British National Health Service and spread to more than 230,000 computers over 150 countries, offered a glimpse of how thieves could take advantage of automotive vulnerabilities.
The hackers demanded payment in bitcoin from computer system operators to unlock the frozen computers. The thieves did not collect much, but it was costly for computer system operators, and a really big hassle.
Auto manufacturers are focusing a lot on cybersecurity, but they’re struggling with how many resources they should devote to fight the risk.
To date, the only company seriously affected has been Fiat Chrysler, which conducted a recall of certain Jeep models after security researchers exposed a vulnerability in an infotainment system. The researchers were able to take over control of steering, acceleration, and braking via a laptop. The Jeeps were later subject to the first-ever U.S. hacking safety recall.
The vulnerabilities aren’t necessarily new—there are infotainment systems connected to the internet, unencrypted transmissions between car controllers, flawed software in phone apps, and unprotected key fobs.
Just because they’ve been exposed doesn’t mean they’ve been fixed, says Hurst, the executive director of FASTR.
Every car connection to the internet is a potential entry for a hacker, Hurst says. Every wireless interface is vulnerable.
Ransomware, in general, is a growing criminal concern because the attacks have been effective and relatively easy to launch, says Monique Lance, head of marketing at Argus Cyber Security, a global automotive cybersecurity firm based in Tel Aviv, Israel.
“Thieves go where the money is,” she says. “If they find it lucrative to stage a ransomware attack, that’s what they’ll do.”
A Near-Term Risk
FASTR has been tracking the threat.
In a survey of its members published in February, the group predicted that a vehicle-based ransomware attack would take place in the real world sometime this year.
Cars are essentially bigger, heavier Internet-of-Things devices, with multiple operating systems that connect to the web, says Carl Herberger, vice president of security solutions at Radware, a firm that markets protections against cyberattacks.
“You can clearly see this happening,” Herberger says. “It may sound trivial or trite, but when you have tens of millions of cars on the road, all you need is 1 percent for you to make millions of dollars. You can see the criminal mind working.”
The potential for hacking incidents that involve loss of human life may be a few more years out, as cars become more autonomous, Herberger says. Ransomware is a real near-term threat.
In addition to the techniques and motives, would-be criminals have ready-access to the tools they would need on the so-called dark net, Herberger says. They can rent, buy, lease, or even outsource the hacking needed to do the job, he says.
Regulators, Industry Respond
With vehicle software and processors proliferating as hackers are growing more sophisticated, the federal government has ramped up its response.
The FBI issued a warning in March 2016 to automakers and consumers to “maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles.”
Also last year, the National Highway Traffic Safety Administration released guidelines to ensure automakers are designing cars to be safe, even if they are hacked. The idea is to be able to safely control a car after a successful cyberattack.
The auto industry has a multilayered strategy on cybersecurity, including building in protections from the early stages of design and also partnerships with a wide range of tech groups, says Gloria Bergquist, vice president for communications at the Alliance of Automobile Manufacturers. That includes the Automotive Information Sharing and Analysis Center, or Auto-ISAC, which monitors potential threats, shares intelligence, and has developed a series of best practices.
“In the automotive sector, we are seeing a lot of sensationalized stories that don’t mesh with what our cyber experts are seeing,” Bergquist says. “It is still important, even with all the multiple protections for auto cybersecurity, that we remain vigilant.”
The Auto-ISAC, which was established in 2015, developed seven best practices for automakers and their suppliers, including how to respond to hacking incidents and how to engage with and respond to private security researchers, who are actively trying to break into vehicle systems to expose their weaknesses.
Faye Francy, Auto-ISAC executive director, says the group is fleshing out general principles from automakers into a detailed road map for automakers to address hacking threats.
The group’s regular conversations among automakers, suppliers, tech companies, and researchers are already paying off, leading to dialog with third parties who identify threats and implement solutions, Francy says.
“This is about learning and working together,” she says. “The technology trajectory is so much faster than what regulators can keep up with. We’re working to make sure cybersecurity is embedded in our designs.”
One way that ransomware hackers could get into a car is through apps on the infotainment system that connect to the internet, or through smartphone apps that you can use to control your car through your phone, experts say.
Consumers might be tricked into downloading apps that look real but are really malware—just like clicking on a phishing link in an email. Starting to use the phony application installs the malware.
“We don’t really like to put fear in consumers’ minds," says Lance from Argus Security in Tel Aviv, "but maybe that’s what it will take to get the manufacturers to act."