Although it sounds like a Hollywood movie, this cybersecurity threat just became real. Carjacking just received an entirely new scenario, one that has been proven and caused the first-ever recall of cars in the US because of cybersecurity. Imagine driving on an Interstate Highway at 55+ miles an hour and suddenly your brakes are engaged; this nightmare is real. Too often technology outstrips our ability to control or understand it in a free-market economy, this example is poignant in the extreme.
First Ever Remote Car Hack
Fiat Chrysler Automobiles (FCA) became the unwitting victim of the first ever car hacking that resulted in a 1.4 million vehicle mandated recall. The theoretical threat became an instant reality. The issue surrounding car cybersecurity has been on the radar of academics, engineers and theorists since cars starting being connected to the Internet.
The hacking of the FCA Jeep Grand Cherokee was the result of the electronic radio ports on the radio controlled computer to be left ‘unintentionally’ open, allowing controls and commands to be sent to the vehicles without proper authentication. Charlie Miller and Chris Valasek were able to hack into the car’s infotainment system with just an internet connected computer before finally immobilizing the Jeep on the side of a Highway by tampering with the brakes and the engine. Their exploits were made public in July at the Black Hat Conference in Las Vegas.
Chrysler defended its “timeline” of events, even though it knew of the cybersecurity threat as early as January 2015. FCA stated that what was known in January in comparison to the reveal in July was much different. The company only contacted the NHTSA (National Highway Traffic Safety Administration) about the security issue after being contacted by the programmers. Yet, this is not an isolated incident.
The GM OnStar
The GM OnStar system was recently shown to have a flaw that allowed the RemoteLink App, downloaded to mobile phones to be interrupted and controlled by another party. Not as easy as the FCA hack, this one requires the hacker to build a unit that can intercept the communication between the car and the mobile phone. The researching hacker Sammy Kamkar notified GM about the issue and GM was able to patch the software on by the next morning without a recall. That same day, GM was able to uncover another security vulnerability on an iPhone which was subsequently fixed the same day.
Although manufacturers are quick to move if the hacks affect ultimate driving safety, the fact that these hacks were possible without a systemic process in place for these systems and third-party checks or legislative mandates has been revealed through these hacks.
In the US these hacks fall generally under the jurisdiction of the NHTSA. The NHTSA however has not exactly been asleep at the wheel. New connectivity in cars is relatively new and the pace at which technology can leapfrog non-profit organization’s ability to stay in the loop is worrying. However, the NHTSA has been looking at better systems of evaluation for vehicle cybersecurity for a couple years. In fact in October 2014, the NHTSA published “A Summary of Cybersecurity Best Practices” in order to start looking at the issue in more depth.
This paper looked at the comparison of need between cybersecurity in vehicles and similar industries where processes and practices are more advanced. The most obvious examples include the aviation industry as well as the IT industry. Aviation has put in place extensive cybersecurity protocols to ensure remote hacking of airplanes is not possible. The amount of lives at stake requires the same type of response for the auto industry, it says. This includes not only best practices for auto manufacturing but also for cybersecurity research and review. It states cybersecurity should be looked at as a ‘lifecycle’ rather than a stationary target. This provides manufacturers to look at the longevity of the vehicle and include a life cycle for its cybersecurity as well.
This paper was developed from the express overhaul of the NHTSA in 2012 to better focus on the future of vehicle technology. This overhaul included a complete organizational restructuring, including a new division, Electronic Systems Safety Research to better evaluate electronic technologies in vehicles. This division is responsible not only for cybersecurity but a host of technologies that include crash avoidance and driverless technologies. The paper on best practices was just 1 of 4 papers published in 2014 on technology and cybersecurity.
No matter the progress of the NHTSA however, the unfortunate news from these car hackings is that it is not enough. The US Senate recently promised more staffing and resources for the under-staffed agency based on changes to the NHTSA and the recall procedure.
The real threat of cybersecurity against the vehicles that billions of people drive every day is a threat that needs immediate global attention and not just from one organization in the US. The pervasion of electronics and the prominence of the Internet of Things promises cybersecurity to become a global issue. The Internet of Things promises over 50 billion devices connected to the Internet by 2020. Everything from your watch and phone to your fridge, stove and BBQ possess some of the same security threats of life that are inherent in vehicles. Imagine someone able to turn on your gas stove through the internet and resulting problems.
Automaker associations globally have promised to tackle the issue of cybersecurity with a more concerted effort and a central data analysis center to proactively search for vehicle vulnerabilities. The real issue is how this global issue that spans many industries, including the auto industry can be dealt with in a manner that still supports innovation and progress but not at the expense of safety and security.
With projections for driverless cars and auto-driving cars by as early as 2020, the problems of today seem like a perfect lead into cybersecurity for the transportation of the future. Vehicles today at least have an attentive driver that can potentially avoid fatal collisions by awareness. Driverless cars of the future would be even more at risk.