May 5, 2023
Cyber Threats Drive Concern About Vehicle Vulnerability
The technological sophistication of today’s cars and trucks is making them increasingly vulnerable to cyber security threats.
The software operating in today’s vehicles has about 100 million lines of code. “It would be easy to say the modern car is a computer on wheels, but it’s more like 30 or more computers on wheels,” Bruce Emaus, the chairman of SAE International’s embedded software standards committee, told the New York Times recently.
- In 2015, a team of researchers successfully hacked into a Jeep Cherokee’s infotainment system, gaining control of the vehicle’s engine, brakes, and other critical functions. They were able to do this through a vulnerability in the vehicle’s cellular connectivity system.
- In 2016, researchers were able to remotely access and control a Tesla Model S by exploiting a vulnerability in the vehicle’s software. They were able to unlock the doors, start the engine, and even apply the brakes while the car was in motion.
- In 2016, security researchers were able to take control of a Nissan Leaf’s climate control system, accessing it through the vehicle’s mobile app. They were able to turn on the vehicle’s air conditioning and heat, as well as drain the car’s battery.
- In 2013, a team of researchers were able to hack into a Toyota Prius and disable the vehicle’s brakes while it was traveling at high speeds. They were able to do this by exploiting a vulnerability in the vehicle’s wireless communication system.
- In 2018, researchers were able to hack into a BMW’s infotainment system and access the vehicle’s GPS data, microphone, and phone contacts. They were able to do this through a vulnerability in the vehicle’s ConnectedDrive system.
- More recently the press reported a prank in Russia where dozens of cabs converged on a single address in central Moscow, causing a major traffic jam. In addition, a 19-year-old security researcher blogged about how he took advantage of a bug to remotely hack into more than 25 Teslas — “By accident. And curiosity,” he noted.
The main cyber threats to vehicles are:
- Cybersecurity threats: With the increasing use of electronic control units (ECUs) and internet connectivity, vehicles are becoming more vulnerable to hackers who can gain access to the vehicle’s systems and take control of critical functions such as brakes, acceleration, or steering.
- Software glitches: As vehicles become more reliant on software, there is an increased risk of bugs and glitches that could cause malfunctions. A software bug could, for example, cause the vehicle to suddenly accelerate or shut down while driving.
- GPS tracking: The GPS systems used in modern vehicles are vulnerable to hacking and tracking. Hackers could gain access to the GPS system and track the vehicle’s location or even use it to steal the car.
- Sensor malfunction: Modern cars are equipped with a wide range of sensors that are used to monitor everything from the engine’s performance to the car’s position on the road. If a sensor malfunctions, it could cause the car’s systems to fail or provide incorrect information to the driver.
- Over-the-air updates: Some car manufacturers now offer over-the-air updates to their vehicles, which can introduce vulnerabilities if not properly secured. Hackers could potentially intercept these updates and use them to gain access to the car’s systems.
Research and Solutions
Fortunately, there are several organizations and initiatives working to reduce vehicular cyber risk. They include
- The National Institute of Standards and Technology (NIST), which has developed and promoted cybersecurity best practices guidance in the United States.
- The Automotive Information Sharing and Analysis Center (Auto-ISAC), an industry-wide organization formed by automotive manufacturers to share and analyze cyber threats and vulnerabilities in vehicles.
- The Cybersecurity and Infrastructure Security Agency (CISA), which is a federal agency responsible for protecting the nation’s critical infrastructure from cyber threats. CISA collaborates with the automotive industry to provide guidance and best practices for securing connected vehicles and their supporting infrastructure.
- The Security and Privacy in Your Car (SPY Car) Act. This proposed legislation aims to establish cybersecurity standards for vehicles sold in the United States. It would require automakers to develop and maintain cybersecurity policies and implement measures to protect against hacking and unauthorized access.
- The Federal Automated Vehicles Policy: a set of guidelines issued by the National Highway Traffic Safety Administration (NHTSA) to promote the safe and secure development and deployment of autonomous vehicles.
Overall, the increasing reliance on electronics in modern vehicles has made them more vulnerable to a range of potential vulnerabilities, highlighting the importance of robust cybersecurity measures to protect against these risks. The automotive industry, regulators, and policymakers are increasingly recognizing the importance of cybersecurity in vehicles and are taking steps to address this issue.