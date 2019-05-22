David Kennedy, founder of TrustedSec (trustedsec.com) and Binary Defense Systems, is a white hat hacker and cybersecurity consultant to major corporations, manufacturers, financials and governments. Prior to the private sector, David worked for the US Marine Corps and was deployed twice to Iraq for intelligence related missions.

The auto industry is rapidly moving toward a future of driverless cars. One of the main arguments in favor of this new technology is that it will make driving safer.

But what about the flip side of the coin? What new risks could it create?

Tesla (TSLA) has led the field in self-driving technology for years, and it is now getting closer to what it calls FSD: full self-driving technology. At the same time, other car manufacturers and leading tech companies like Apple (AAPL), Google (GOOGL), and Uber are also developing driverless vehicle technology, which could begin rolling out soon.

Kaushik Raghu, Senior Staff Engineer at Audi, takes his hands off the steering wheel while demonstrating an Audi self driving vehicle.

For the past four years, our team at TrustedSec has been working with leading auto manufacturers to check these vehicle systems for potential security risks a criminal hacker might exploit. While I can’t disclose what we’ve found, what I can say is this: vehicle systems are not exactly bulwarks of security. Just like any other electronic device that runs code, they have vulnerabilities which can be attacked.

To make matters worse, car manufacturers also source many of their products and components from diverse outside vendors, which makes it harder to tell what technology is actually running inside the car.

Here’s what consumers — and investors — need to know.

How will cars be hacked?

As cars become more like computers, they can be hacked like computers. The future risks to cars range from data breaches to hijacking critical systems, backdooring the car network, extortion, and more.

Criminal hackers could target the car itself, the back-end servers supporting it, or the outside systems that communicate with the car, like ‘smart’ traffic lights. The possibilities are vast.

A criminal could steal personal information by hacking the car’s WiFi or cellular network, or compromising a third-party service provider. The coming trade in driver data could be particularly useful for identity thieves.

Ransomware could seize control of a car’s functions, or disable it altogether, until the owner or automaker pays the ransom. It’s also possible to carry this out on a larger scale, if an attacker is able to find a model-specific vulnerability.

Apple's Senior Vice President of Software Engineering Craig Federighi speaks about CarPlay on stage during Apple's World Wide Developers Conference in San Jose, California on June 05, 2017.

The infotainment system is perhaps the most vulnerable point of entry for the car. If unprotected, it is a direct conduit into the CAN bus, where an attacker could then migrate to other controllers and take over the car’s critical functions. In theory, this could allow a criminal hacker to remotely control or sabotage the vehicle – similar to what security researchers Charlie Miller and Chris Valasek demonstrated with the Jeep Cherokee hack.

Attackers could seize control of an entire fleet of vehicles by breaching the back-end infrastructure. This type of attack could occur if the hacker was able to compromise a manufacturer or key service provider and then use it to deploy malicious code to every car under its servers’ reach. We’ve seen this type of attack in other industries. Recently, ASUS was hacked and used to distribute the ShadowHammer malware as a fake software update to hundreds of computers.