As the auto industry enters an era where cars are increasingly relying on the internet to operate, some experts say that the shift to autonomy may pose greater cybersecurity risks if potential hackers target software vulnerabilities.
Although the experts are not aware of any cyberattacks targeting electric vehicles thus far, they said the auto industry should still be working to upgrade their security and software systems for the well-being of their customers.
And they said a real cyberattack against autonomous vehicles is very much in the realm of possibility. In fact, two cybersecurity researchers proved that it was achievable when they remotely hacked a Jeep Cherokee in 2015 to demonstrate the vulnerabilities of connected vehicles.
The researchers were able to gain access to the car’s steering, transmission and brakes. The simulation hack prompted Fiat Chrysler to recall 1.4 million vehicles so it could install software to fix the vulnerabilities.
A spokesperson for the National Highway Traffic Safety Administration (NHTSA) told Reuters at the time that it was the first time an auto company had to recall cars over cybersecurity concerns.
“That woke up the whole auto industry to the challenges they had,” said Shane Tews, a nonresident senior fellow at the American Enterprise Institute.
Tews said that unlike the aviation industry, which took cyber threats seriously amid terrorist attacks, “the auto industry didn’t have the same early nudge” to invest as much in cybersecurity.
“They just weren’t thinking about people somehow using cars in a nefarious way,” Tews said.
As for hackers, Tews said, they would be after the different components of a car that will easily give them access to the system. For instance, they may try to find out which firm a company uses for its locking system. Once they get that particular locking system model, they can work to hack the software to unlock the doors.
“Once you figure out that company F is the creator of the car locking system that Toyota and Hyundai uses, and you know which models and which years they’re using that locking system, you can now target those cars on the road,” Tews said.
Tews added that once the hackers are inside the system, they can continue poking around to access more information.
“The hardest part is getting inside that window,” Tews said. “Once you figure out how to open that window and then you’re in the house, now you can figure out what else you can get into.”
Tews also said that if the hackers want to maximize their profits, they can go after companies that have big fleets, such as rental car company Hertz.
James Anderson, a senior behavioral scientist and director of justice policy program at Rand Corp., said another potential concern is the increased use of over-the-air updates, which allow manufacturers to wirelessly deliver new software to the car without having someone physically there to make the changes.
Anderson said that the idea new features can be added to a car wirelessly may pose risks as hackers attempt to gain control of the vehicle.
“The risks are growing in the sense that more and more vehicles are moving towards the over-the-air software update capabilities, and vehicles are also generally moving towards more autonomous capabilities by which I mean giving more control over vehicle functions to the software,” Anderson said.
Anderson, however, emphasized that the cyber risks tied to autonomous vehicles are hypothetical at this time.
As for potential motivations, Tews said that 95 percent of the time it’s about money while the other 5 percent is creating fear.
“The biggest market is ransomware,” Tews said, adding that the hackers may do several tests to figure out how much they should request.
“The dollar amount should be high enough for them to make the effort but low enough that you will pay it and not tell anyone,” she said.
Hackers could also attempt to create fear by using vehicles as instruments of terror. For instance, a terrorist organization may hack a vehicle to harm a specific target, such as a diplomat, or use it to hit a government building.
Although these potential attacks have yet to materialize in the real world, Anderson said it’s important for the auto industry to be aware of the risks and take steps to mitigate them as more cars become reliant on the internet to operate.
“We want to anticipate this particular set of potential threats now so we can hopefully minimize the risks,” he said.