Going back at least a decade, cars have been targeted by hackers, some who ended up working with the industry, others acting maliciously. But vehicles now carry far more electronic equipment, and autonomous driving, relying on sensors, cameras and radar, is on the horizon, with all kinds of ripe new targets.
Concern that cars could be seriously hacked — by criminals, terrorists or even rogue governments — has prompted a new round of security efforts on the part of the auto industry.
As far back as 2010, a disgruntled former employee at Texas Auto Center in Austin used a co-worker’s account to log into company software used for car repossession. He disabled over 100 cars, and owners who were up to date on their payments suddenly found their vehicles honking furiously, and unable to start.
In 2015, a veteran hacker named Samy Kamkar built a device for under $100 that he said could find, unlock and remotely start any General Motors car equipped with the OnStar communications system. Luckily, Mr. Kamkar was acting as a “white hat,” and not selling his OwnStar device to unscrupulous hackers.
“I worked with G.M. to resolve that issue,” he said, and that particular vulnerability is gone. “Cars are getting more secure, but it’s a long cycle to get the necessary new software and hardware installed.”
Dan Flores, a G.M. cybersecurity and safety spokesman, confirmed the collaboration with Mr. Kamkar. “We recognize the importance of the work that researchers, like Samy, do to help advance the work in this area,” he said in an email.
Digital threats to self-driving cars, according to a 2018 University of Michigan report, “include hackers who would try to take control over or shut down a vehicle, criminals who could try to ransom a vehicle or its passengers and thieves who would direct a self-driving car to relocate itself to the local chop-shop.”
The average car has over 150 million lines of computer code, and some have even more than a Boeing 787, according to a 2018 KPMG report. That complexity, the report said, “creates a real risk of cyberattack — a risk we fear many companies in the automotive industry may be underestimating.”
That view is widespread. “From my perspective, automakers were a little surprised and caught off guard by this threat,” said Doug Newcomb, a senior industry analyst at Wards Intelligence. “They added all this connectivity, but got ahead of themselves and don’t always think of the vulnerabilities that exist. It’s an ongoing issue, not a fix-it-and-forget-it thing.”
Failing to protect consumers can be costly, said Steve Tengler, a principal at the consulting company Kugler Maag Cie who has worked at Ford, Nissan and G.M., and was a senior director of connected vehicle cybersecurity at Honeywell.
Automakers are legally bound to provide state-of-the-art protection for their cars, Mr. Tengler said. “Legal precedents show that it’s not enough to provide a product that is kind of safe,” he said. “Companies don’t have to put themselves out of business to provide the safest technology, but they do have to work within their commercial ability.”
Mr. Tengler said the industry was a frequent target. “Every automaker has been hacked — every one of them,” he said. “Attacks aren’t a matter of if, but when and how.”
Once a car is out of warranty, automakers are used to cutting or at least loosening their ties. But hacking issues mean that protection will most likely require factory-to-junkyard monitoring.
In 2015, Fiat Chrysler recalled 1.4 million cars and trucks after Chris Valasek and Charlie Miller demonstrated, in a Wired magazine article, that they could remotely control a Jeep Cherokee’s brakes, radio,
wipers and other functions by gaining access through its UConnect infotainment system.
The company declined to comment on any subsequent security changes.
Dr. André Weimerskirch, vice president for cybersecurity and functional safety at Lear Corporation, said that automakers had made “huge improvements” in recent years, and that joint efforts involving the industry, academia and standards organizations had also led to gains.
Most car hackers have been wearing those white hats, with no criminal intent, but imagining what could happen led to the 2015 formation of the Automotive Information Sharing and Analysis Center, known as Auto-ISAC. Most of the world’s automakers are members.
Faye Francy, the center’s executive director, described the Jeep episode as “a good wake-up call for the industry.”
“The hackers are smart guys, very educated,” she said. “It’s not simple to do what they did. We’re fortunate that there hasn’t been another breach, but it’s not impossible.”
Not impossible, but still difficult. Ron Plesco, a principal at KPMG Cyber Security Services, agrees that hacking into a car’s driver controls requires “a lot of knowledge and effort.”
“It’s not as easy as Hollywood claims it is,” he said.
That’s one reason we haven’t seen more major attacks. But Mr. Plesco argues that today there isn’t much incentive for thieves, since the identity information stored onboard vehicles is fairly limited.
“But,” he added, “that’s about to change as we do more purchasing through the dashboard of the car. The automobile is becoming another computer that can be hacked.”
New infotainment and autonomous features are important selling points, but because most consumers assume their cars are safe, automakers tend to keep cybersecurity news in the background. Much is happening behind the curtain, however. Some private security firms say they are signing on with major automakers to provide expert protection.
“There are multiple ways for hackers to get in, and it’s the job of the whole industry to defend against it,” said Dan Sahar, a vice president at Upstream Security in Israel. “Just one hack can cost a manufacturer tens of millions of dollars, and that doesn’t include the brand damage. And the threat is getting more serious.”
According to Mr. Sahar, “2018 saw more than 60 documented automotive-related cybersecurity incidents, a sixfold increase in just four years.”
Upstream is working with “a handful” of manufacturers, Mr. Sahar said. “Automakers are focused on cybersecurity, but few say they can do it on their own,” he said.
A 2019 Upstream report extrapolates a cost topping $1.1 billion for a breach that requires a large recall. The opportunity will certainly be there for criminal hackers. Juniper Research of Britain estimated in a 2018 report that by 2023 some 775 million cars would be connected to the web in some way (up from 330 million in 2018).
Mr. Tengler, of Kugler Maag Cie, said it was easy to picture the danger that hackers posed to autonomous vehicles — potentially redirecting them as part of a theft. But the Jeep hack proved “it doesn’t matter if someone is driving,” he said. “If they can take control of the car, the vulnerable technology is already there.”
Thieves have stolen cars by using fairly simple electronic technology, some of it freely available. A device that amplifies the signals from a car’s remote can be used to unlock the target vehicle’s doors. Mr. Kamkar said he had built such devices from off-the-shelf components for approximately $50.
“It’s a lot simpler than people think,” he said.
Other devices include a radio transmitter that cycles through huge numbers of possible combinations until they “crack” the target car’s key fob. In 2006, that was reportedly how the soccer star David Beckham’s armor-plated BMW X5 was stolen in Madrid. A second X5 belonging to Mr. Beckham was also stolen.
“Car thieves used to have crowbars; now they use laptops,” said Mr. Plesco at KPMG.
Jono Anderson, also a principal at KPMG, said the auto industry needed to learn from aerospace.
“They’re very familiar with this kind of security,” Mr. Anderson said, “but it’s new to the auto industry. Maybe it’s possible to hack the entertainment system in a plane and get free movies, but it’s virtually impossible to hack the actual communications.”