Within the next five years, a quarter of a billion vehicles with connected features will travel on roads across the globe. How will we protect them?
Automakers are rushing connectivity into their cars. Features like 4G LTE and Bluetooth are now standard on many makes and models, and they’re keeping on-the-go motorists connected to their lives beyond the vehicle. In the coming years, our cars will connect more with the broader Internet of Things (IoT) and integrate seamlessly with smartwatches, smart houses, and smart cities. All those connections are potentially dangerous, warns Josh Corman, director of the Cyber Statecraft Initiative for the Atlantic Council, a Washington, D.C., think tank that analyzes global economic, political, and technological challenges. He says automakers are equipping cars with these connected features faster than they can defend them from cyberthreats. Sooner or later—and he argues it will be sooner—they are due for a reckoning.
Corman likens the scope of the connected-car threat to that of another promising development once widely used in building materials—until its cancer-causing effects were discovered. “When they first introduced asbestos, you were an idiot not to use asbestos everywhere,” he said of the building material. “It was a fire retardant. It was lightweight. It was inexpensive. Asbestos had clear benefits. There are obvious benefits in the IoT, but when it comes to putting connectivity in these cyberphysical systems, or in these cybersafety use cases, we’re going to look back on this point in history and say, ‘What were we thinking?’ “
He’s not alone. In April, the Government Accountability Office released a study that suggested the Department of Transportation needs to define its role in preventing and responding to real-world cyberattacks on vehicles. The report said hackers could potentially attack a large number of vehicles—and that they could do so from anywhere in the world, a development made clear last year when researchers working from a residence in Pittsburgh remotely commandeered control of a Jeep Cherokee traveling along a highway in St. Louis.
“When we see some confidence-shattering cybersecurity failure that leads to a loss of life, you’ll see people aggressively disconnecting things.” —Josh Corman, the Atlantic Council
That research set off alarm bells within the Department of Homeland Security, but the capabilities of car hackers have been well known in the auto industry since 2010, when researchers with the University of Washington and the University of California San Diego first demonstrated it was possible for outsiders to breach software systems in a vehicle and gain control. From those early stages, automotive cybersecurity has mushroomed into a massive potential pitfall. With 112 million vehicles now connected around the world, by 2023 the industry will be spending $759 million per year to grapple with those concerns, according to financial-services company IHS Markit. The number of connected vehicles is expected to double by 2025 to a quarter of a billion, according to Gartner, a global technology consulting firm.
“Cybersecurity will be one of the toughest challenges that the auto industry will face in the next decade or two,” said Colin Bird, senior analyst with IHS Markit. “Especially as more vehicles with telematics and embedded modems make connected cars an attractive target to cybercriminals, terrorists, and nation-states.”
Confronting the Threat by Sharing Intelligence
So far, car-hacking exploits have remained in the realm of white-hat researchers who have demonstrated any number of security holes in the security of a dozen automakers. But federal officials know they may not always be so fortunate and that they need to fortify cars against system-wide attacks.
In response to the GAO report, officials from the DOT have been writing the blueprint for a new cybersecurity policy that will be revealed “soon,” a spokesperson told Car and Driver. In the meantime, the Federal Automated Vehicles Policy released by the department addresses cybersecurity as it relates specifically to highly automated vehicles.
That document instructs OEMs that detection, response, and recovery options should be used to address threats and enable a quick response to events—actions that almost none are capable of today. Much as federal officials have urged automakers to share information on safety concerns related to autonomous vehicles, the government likely will expect the same when it comes to cybersecurity failures.
“Cybersecurity is another example of where we intend to push this sharing,” said a senior DOT official who requested he not be identified. “There are a number of places where we’re trying to encourage and help foster an environment where they don’t have to make the same mistakes their neighbor made.”
Charlie Miller, above, was one of two researchers who figured out how to remotely commandeer control of a Jeep Cherokee in 2015, an exploit that put the industry on edge.
Such sharing is already underway. A group that is one of the few existing bulwarks against car hackers, the Automotive Information Sharing and Analysis Center (Auto-ISAC), commenced operations in January 2016. Composed of members from major automakers and some suppliers, the group logged and shared more than 30 actionable threats in its first months, according to Jon Allen, the group’s executive director.
In July, Auto-ISAC published its set of best practices for automakers and suppliers. The document acknowledges that “a future vehicle with zero risk is unobtainable and unrealistic” and emphasizes ways that automakers and suppliers can assess risks, detect threats, and manage responses. NHTSA referenced the group’s best practices as a document that should be leaned on for guidance for highly automated vehicles, and it’s possible it will again make that recommendation when it comes to protecting the overall vehicle fleet.
But there’s one problem: Right now, almost every automaker lacks the ability to detect real-time threats at a broad level and initiate a response. While the OEMs have fortified defenses with the addition of software that’s supposed to identify and quarantine potential hacking attempts discovered on vehicle networks, no major automakers have the ability to preserve such network traffic in real time, nor the capability to capture data for follow-up investigations.
Corman, who founded iamthecavalry.org, a grassroots organization that analyzes the convergence of cybersecurity and public safety, published a Five-Star Automotive Cyber Safety Program that serves as another set of best practices. The third of those five stars recommends that automakers develop a method for evidence capture, something akin to a black box, that would track intrusion attempts and sabotage on the vehicle’s Controller Area Network bus.
But designing such a data recorder isn’t as simple as it is for the airlines. “One of the first things hackers do is delete the logs to hide their tracks, so you can’t simply try to do an evidence recorder,” Corman said. “You need to do it in a way that incorporates all the hard-fought and hard-earned lessons we’ve had in the private sector.”
Reversal on Working with Independent Experts
If fortifying vehicular security and sharing information are two of the industry’s best defenses against hackers in the connected-car age, so is doing something that once seemed unthinkable: getting outside help from the independent researchers who thus far have pioneered the fledgling cybersecurity field.
Three automakers currently either offer bug bounties or run coordinated disclosure programs, which provide independent researchers an avenue to contact and work with companies to identify and neutralize vulnerabilities before divulging them to a wider audience. Tesla Motors offers a gold coin—a symbolic gesture that’s highly sought within the white-hat hacker community—and a factory tour to researchers who find and share vulnerabilities. General Motors started a coordinated disclosure program in January, and Fiat Chrysler Automobiles followed in July.
“We’ve learned we’re really good at working with automotive electronics and automobiles, but we didn’t necessarily know how to work with hackers on our own.” —Jeff Massimilla, General Motors
Those are developments encouraged by Auto-ISAC—and they amount to a seismic shift from how automakers treated researchers a year earlier. In 2015, automakers in general through their lobbying group, and General Motors specifically, said independent researchers should not hold the legal right to study the software in their cars, arguing the millions of lines of code that run almost every vehicle function were protected by copyright law. But researchers and do-it-yourself tinkerers secured an exemption in the Digital Millennium Copyright Act that mostly preserved their access to vehicles to continue peeking under the hood.
General Motors began to change its stance last summer, when hacker Samy Kamkar told the company he found a flaw in an OnStar smartphone app that allowed him to remotely start vehicles. Within a matter of months, GM reversed its stance to distance itself from independent researchers and established its coordinated disclosure program. Within its first 48 hours of operation, the automaker received a large number of submissions, some of which included reports of bugs the company hadn’t previously known.
“Through that interaction, we understood not only the importance of working with researchers, but that it was important to provide them a clear and defined way to interact with us,” said Jeff Massimilla, chief cybersecurity officer at GM. “They’re probably as apprehensive to work with us as we might be to work with them. And we’ve learned we’re really good at working with automotive electronics and automobiles, but we didn’t necessarily know how to work with hackers on our own. We got a lot of guidance on our program, and it’s been great. I can’t get into statistics, but it’s provided actionable intelligence, and we’ll continue to mature that program.”
A Catastrophe Waiting to Happen
Intelligence sharing through Auto-ISAC and coordinated-disclosure programs run by automakers are two strong pillars for defending cars, but that may not be enough to thwart attacks. Corman says the DOT’s upcoming framework for handling cyberthreats should have some teeth. In the same way that systems checks for commercial aircraft are mandatory after a certain number of flight hours, that kitchen safety codes in restaurants are mandatory, and that seatbelts and airbags have become mandatory in the auto industry, he says regulations that set minimum standards for automotive cybertechnology are needed.
“None of those were voluntary,” he said. “I know there’s this fear that the heavy hand of government may not understand their sector well, but this is a reminder these things aren’t just cyber anymore. It’s cyberphysical systems. It’s cybersafety impact. It’s where bits and bytes meet flesh and blood.”
The number of reported vulnerabilities may soon increase. October 1 is the end of a yearlong stay in the implementation of the ruling in the copyright case, meaning researchers who may have felt afraid to report their findings for fear of being prosecuted or sued by automakers will be in the legal clear to share their knowledge.
Three automakers hosting coordinated disclosure programs is perhaps a good start, but what about the rest of them? At a time when the number of embedded connections in vehicles is increasing, the already deployed fleet is devoid of defense, and dongles that plug in to OBD-II ports are increasingly exposed as vulnerable, most automakers and aftermarket suppliers have no means to receive outside help.
Malicious actors aren’t waiting around for disclosure programs anyway, but the lack of clarity could slow the discovery of fixes for dire problems. Security flaws are crises waiting to happen, and a single breach that causes an injury or death could mean the connected-car age ultimately is short-lived.
“When we see some confidence-shattering cybersecurity failure that leads to a loss of life, you’ll see people aggressively disconnecting things,” he said. “Sometimes it takes a catastrophe to really get the hint. The issue I have is when that happens, the response times will be very long and very painful.”