Connected cars are great, until they're not. A recent Detroit Free Press article shows that vehicle hacks are more common and more dangerous that most people realize.
There were at least 150 automotive cybersecurity incidents in 2019, part of a 94 percent year-over-year increase since 2016, according to a report from Upstream Security.
Oh, and here's a phrase we're loath to see, even though we're likely to come across it plenty more in the future: ransomware for cars.
It is impossible to remotely hack into an unconnected car. But if you're not driving the latest vehicle from Tautology Motors, your vehicle is likely at risk from some sort of digital intrusion. In fact, almost every car on the road today, if it can connect, can be hacked to some degree.
That's the opinion of Moshe Shlisel, the CEO and cofounder of GuardKnox Cyber Technologies, a company that focuses on protecting vehicles from just these kinds of attacks.
“The more sophisticated the system is, the more connected your vehicle is, the more exposed you are,” Shlisel told the Detroit Free Press. “We have taken whatever model [car] you think of and we hack them through various places. I can control your steering, I can shut down and [start] your engine, control your brakes, your doors, your wipers, open and close your trunk.”
Shlisel isn't the only one trying to predict and prevent hacking threats. Upstream Security put out its annual Global Automotive Cybersecurity Report that lists the top cyber incidents of 2020. These included a hacker gaining control over “Tesla's entire connected vehicle fleet by exploiting a vulnerability in the OEM's server-side mechanism” and hackers taking “full control of an OEM's corporate network by reverse-engineering a vehicle's [telematics control unit] and using the telematics connection to infiltrate the network.”
The Free Press cited Upstream's report, which said there was a 99 percent increase in cybersecurity incidents (to 150) in 2019 and a 94 percent year-over-year increase since 2016. With more communication methods being built into new vehicles, including massive over-the-air update technologies, this trend is unlikely to reverse any time soon.
Ransomware for Cars Is Coming
All of these attacks mean automakers have to take a proactive stance in this fight. Part of the automakers' defense strategy is to ask “white hat” ethical hackers to show them where the cars are vulnerable in exchange for monetary rewards or, in some cases, jobs. The famous hacker duo who took control of a Jeep Cherokee back in 2015 now work for Cruise, the autonomous-vehicle subsidiary of General Motors.
Michael Dick, CEO of C2A Security, an Israel-based automotive cybersecurity company, told the Free Press he expects the current trend of hackers holding digital data on computers for ransom to move to cars at some point. When this happens, driver will not be able to start their vehicle until they pay off the hacker or suffer the consequences. “There's no way around it,” he said. “You'll have to get it towed and get all new software to start it.”
For some transportation companies, ransomware attacks have already happened. Upstream Security's report mentions a ransomware attack on the Australian transportation company Toll Group, which affected 1000 servers and 40,000 employees. And Honda was forced to stop production in June 2020 due to ransomware attacks on plants in Europe and Japan.
Upstream Security recommends three ways automakers can build secure vehicles, and they're all complicated. First, security has to be part of the design of every component. Second, there needs to be a multi-layered cybersecurity solution that involves in-vehicle, IT network, and cloud security defenses. Third, automakers need to develop vehicle security operations centers “to monitor, detect, and quickly respond to cyber incidents to protect vehicles, services, fleets, and road users.” How well the auto industry builds up these defenses will define how much drivers love their connected cars as the risks are better understood.