Vehicle hacking already has a 15-year pedigree. Though there are at least 36 million vehicles on the road today already connected to the internet, manufacturers appear to have learned little from the biggest security crises of the internet era. Cybersecurity is, yet again, a bolted-on afterthought rather than an integral part of the engineering of an interconnected vehicle.
Hackers started around 2002 by targeting engine-management technologies that control performance superchargers and fuel injectors. In 2005, Trifinite demonstrated using Bluetooth to surreptitiously intercept or transmit in-car audio signals. In 2007, UK firm Inverse Path showed how hackers could compromise the integrity of in-car navigation systems by sending fake traffic updates over FM, causing cars to reroute.
In 2010, experimentation was overtaken by more dramatic interventions that could affect the mobility of the car itself. In Texas, a disgruntled former car-dealership employee used stolen credentials to access a web-based vehicle-immobilization console and began systematically “bricking” cars that had been sold by his former employer.
It could be argued that this remote attack relied on an aftermarket vehicle immobilizer (implemented to “encourage” late-payers into coughing up), and as such cannot be directly attributed as a weakness of connected vehicles.
Remote Hacks Become a Reality
However, no such arguments applied in 2015 when Charlie Miller and Chris Valasek were able to remotely commandeer a Jeep Cherokee that was being driven on the public highway. Exploiting a zero-day vulnerability in the vehicle’s entertainment software, they were able to take over the dashboard functions, steering, brakes, and transmission.
Two years later, Miller and Valasek had refined their research to the point where they were effectively able to take full control of the vehicle, bypassing the limited onboard digital security and error-correction mechanisms, and slammed on the brakes, accelerated, and turned the wheel at any speed.
While Miller and Valasek did not carry out these second attacks remotely, instead focusing their attacks with a laptop connected directly the Controller Area Network (aka the CAN bus) within the vehicle, their earlier research indicates that this remains a possibility.
Fully autonomous vehicles are not yet licensed for the majority of road networks globally, and the connected car industry is still in its infancy. So what does this research and the associated vulnerabilities and exploits mean for our future?
Even in 2015, Miller and Valasek were able to remotely identify 471,000 Jeep Cherokees on the road, any one of which they theoretically could have digitally commandeered. Estimates for adoption rates of fully autonomous vehicles vary, but one study from BCG estimates that by 2035, more than 12 million fully autonomous units could be sold annually around the world, along with a further 18 million semi-autonomous units capturing 25 percent of the new car market.
Current Technologies Not Fit for the Future
We already live in a world where every company is now a software company to some degree. Whether it’s the logistics, healthcare, agriculture, or automotive industry, their products, and associated ecosystems are already highly digitized, software-driven, and interconnected.
Unfortunately, many traditional manufacturers, while highly skilled in their areas of expertise, previously did not have to consider digital security in their design phase. Traditional automotive technology may have been discreetly interconnected internally, but any meaningful external exchange of data went through the onboard diagnostics port.
Consequently, the levels of security currently built into CAN bus technology is rudimentary at best and easily overcome. Research has already shown that the flaws in CAN bus architecture are so fundamental that they can be fully addressed only through an update to the CAN architecture standard.
The future of autonomous vehicles relies on an exponentially increasing connectivity. Vehicle-to-vehicle transmissions (V2V) allow for the creation of ad-hoc wireless networks on the road—vehicles exchanging road condition and traffic data, for example.
In the same way that the Internet of Things (IoT) quickly gave way to the Internet of Everything (IoE), V2V is already being superseded by V2X or Vehicle to Everything.
This encompasses V2V, V2I (Vehicle to Infrastructure), V2P (Vehicle to Pedestrian), V2D (Vehicle to Device), and V2G (Vehicle to Grid) — and you can expect that list of acronyms to continue expanding.
With extra connectivity comes more lines of code, and with more lines of code come more vulnerabilities. That expanding ecosystem means more joints to secure and more potential points of malicious access.
Future Attacks, Forward-Thinking Defense
If you’re thinking that cybercriminals are motivated by money and you can’t see why they’d be motivated to attack vehicles, I’ll leave you with a couple scenarios.
The first, and perhaps most familiar, is ransomware for cars. Imagine unlocking your vehicle in the morning and instructing your digital assistant to deliver you to work. Instead of being greeted by the familiar digital persona, you are greeted instead by a ransom demand: “If you ever want to drive this car again send 1 CrypCoin to… Any attempt to remove this ransomware will result in your engine block being fused.”
In a far more insidious scenario, consider the current favored weapon of terrorist groups. I could make a strong case for it being vehicles, as witnessed by recent attacks in London, New York, Nice, and Barcelona.
Imagine a future fleet of autonomous vehicles, all sharing a common, remotely accessible vulnerability, on our roads. The vehicles’ onboard sensors could be used to identify targets and their V2V communications subverted to act as a coordinated group—while the attacker operates everything from thousands of miles away.
It is imperative that cybersecurity organizations and researchers work very closely with the automotive industry to help them bridge the skills gap — not to mention the cyber-skills shortage — ensuring that security in the autonomous vehicle age isn’t bolted on, but is instead built in.
We need to learn the valuable lessons that today’s internet is teaching us. Rapid innovation and adoption — without a thought for security — provides a fertile breeding ground for crime and malfeasance.