Analytics Brief: Will the IoT and driverless cars make car hacking the norm?
The Internet of Things (IoT) fuels our world of connected devices and smart products, including automobiles that remind us to take a break on long road trips. Recently, the Federal Bureau of Investigation (FBI) and National Highway Traffic Safety Administration warned that modern cars are susceptible to hacking. This warning begs two key questions: How can we counter this threat and minimize car hacking? And what can we do to fortify automobile cybersecurity to minimize the risks introduced by the IoT and driverless cars?
What the experts have to say
Some pundits say that hacking a car is easy to do. Are they right? If they are, the problem engenders several more questions:
- How susceptible are we to car hacking?
- What kind of security exposures do connected cars introduce?
- What can we do to protect our cars and prevent hackers from attacking them?
- How can automobile manufacturers ensure their vehicles are protected?
- How do we balance the demand for innovation and connected cars with security?
Five cyber security experts weighed in on these questions during a recent Analytics Brief.
Peter W. Singer
Strategist and senior fellow, New America Foundation, and founder, NeoLuddite
The Internet of Things is expected to bring amazing possibilities and efficiencies, from smart cars, smart toys and smart power grids to smart things yet to be imagined—all being connected. But it also brings new vulnerabilities. One study found that nearly 70 percent of things coming online have major vulnerabilities. The difference with prior cybersecurity problems is that there is not just the possibility of lost information, but physical damage, with car hacks being an illustration. So there is not just a bigger target landscape, but also the stakes are arguably higher. Part of the problem is that many manufacturers haven’t been taking security seriously enough; it’s not woven into their design process. Moreover, many have an uneven relationship with security researchers.
Principal and owner, Morgan Wright LLC, and cyber-terrorism and cyber-crime analyst
I can’t decide my favorite quote that vindicates me on this topic:
“First they ignore you, then they laugh at you, then they fight you, then you win.”—Mahatma Gandhi
“The truth is incontrovertible. Malice may attack it, ignorance may deride it, but in the end, there it is.”—Winston Churchill
Almost three years ago, I did a segment with Fox News called, “Al-Qaeda Behind the Wheel: How Terrorists Can Crash Your Car” Although not as sinister sounding as it seems, the point was, as cars became more interconnected, there will be a whole host of new and unplanned security issues to deal with. I was roundly pilloried [for these comments] by a wide variety of blogs.
Then this Wired story appeared: “Hackers Remotely Kill a Jeep on the Highway—With Me in It.” I did another segment on Fox News as a follow-up called “Hijacked By Hackers?” In it, I spoke about the potential for ransomware to be introduced in moving vehicles. As a result of the [Defense Advanced Research Projects Agency] DARPA proof of concept, the automotive industry went into a tizzy. Finally getting serious about something that was staring them in the face for years, the Automotive Alliance was created 15 years after the Financial Services Information Sharing Analysis Center.
The biggest threat to any industry, in my opinion, continues to be failure of imagination. And now that cars become rolling computers, each with their own IP address, what could go wrong? Self-driving cars that could be hijacked? An $80,000 BMW turned into a brick with ransomware? The difference between cars and computers is that driving is regulated by the state and, to some extent, the federal government. Driving is a privilege, not a right. Courts have long ago ruled there is not the same expectation of privacy in a car as in a house.
That’s where the security versus privacy debate takes a decidedly different turn. In this arena, the rules are different and have to be looked at through the prism of rights against privilege. The computer in your house isn’t regulated by the government. You can run any software you want, any programs you desire, on any device you want. Take that same computer and embed it in a vehicle, and the game changes. But that’s for a lot of highly paid lawyers to figure out.
The automotive industry is so far behind the curve on cybersecurity, it makes healthcare look like Fort Knox. The biggest danger to consumers and drivers on the road isn’t the technology; it’s the hubris of the industry that couldn’t imagine this [risk] ever happening. There’s your threat.
Scott N. Shober
Cybersecurity expert and president and CEO, Berkeley Varitronics Systems, Inc.
Connected cars are entertainment centers on wheels and essentially computers that carry our very lives in their hands. The demand for these connected services will always push for the latest technology, but security efforts should also push back. As more hackers are drawn to vulnerabilities found in our cars, these same vulnerabilities will expose automakers that are lax on security and not proactive.
In the same way that Volvos are known for being safe on the road, car makers of the future will be judged on their ability to apply cybersecurity standards to their vehicles to keep their drivers, passengers and all others safe on the road too. Consumers need to investigate features such as cybersecurity standards and software patch frequency alongside other choices such as [miles per gallon] MPG and horsepower when shopping for a car. Aftermarket accessories such as vehicle diagnostic devices need to be manufactured and installed by trusted sources. And vehicle operating systems should be installed and updated only by the respective car manufacturers or trusted third-party software makers. Treating your new car like your new computer is the best way to keep it safe for everyone on the road.
CEO, Netspective Communications, and cybersecurity and risk management consultant
We are susceptible to car hacking, but the cost to do the hacks versus the return on the investment for the hacking is unknown. For example, we know that hackers who care about money would probably be spending x number of hours on hacking people’s bank accounts or medical records instead of their cars. Hackers looking to generate mass fear through terrorism would look at hacking a nuclear reactor or electrical grids instead of automobiles.
As soon as hacking a car has some value, we’ll have more to worry about. For now, car hacking is a real vulnerability, but we should prioritize it according to a real risk analysis and not worry about security theatre or be driven by general fear. However, manufacturers can help to ensure the security of their vehicles. Just as they hire professional drivers to thoroughly test physical safety of their automobiles, all manufacturers should be hiring professional hackers and security professionals to regularly test digital safety and security.
And, just as the professional test drivers are consulted throughout the design process, ethical hackers and security professionals need to be integrated throughout the design process for all the digital components of automobiles. There are new safety- and security-focused programming languages that are being created to help prove, mathematically and through evidence, that code is safe. If we can start to use these kinds of languages and model-driven design techniques that can rewrite large amounts of code quickly, we can ensure safety over time.
Security analyst, JurInnov Ltd.
What this [issue] really comes down to and the reason why it gets so much attention is a function of the perceived impact. Hacks take place every day, but [they] create little stir in the community. And that is largely due to the fact that the average breach or hack results in little or no impact to the average person.
However, the threat of human harm, physical asset destruction and possible loss of life potentially have a very significant perceived impact on the average person, despite the relatively low likelihood of their exploitation on an individual at this time. This anxiety is heightened by the fact that consumers cannot take their vehicle to a dealership to swap out a part to reduce their risk. The problem and the solution are much more complex.
The solution primarily involves applying mature security best practices from other areas to the automotive industry, such as secure coding practices, code review, vulnerability scanning, patch management and reduction of the attack surface. Next, consumers need a way to opt out. They should be given the option to disable connected car features. They could do so temporarily, if they are particularly concerned [by] driving in an area where attacks might be more likely, or in response to recent disclosed but yet unpatched vulnerabilities.
Innovation and the security of connected vehicles in our lives are not mutually exclusive. Steps can be taken to ensure the same level of security we employ on our cell phones is applied to our vehicles. The balance between the demand for innovation and security is the education of the vehicle manufacturers and the awareness of car features and functionality by end users.
What may come to pass
Many people restore antique cars simply because of their sheer beauty. Might we have to one day restore them for security reasons too? Though the FBI only released a warning about the risk of car hacking, this warning can be likened to tremors before a volcanic eruption.