by Jonathan Michaels | 5:44 pm, January 4th, 20171
A future dominated by self-driving cars could make driving much safer – as long as hackers don’t take over the vehicles, which experts say is a very real risk to be taken very seriously.
On Monday, in the latest international terrorist attack, a truck driver in Baghdad pretending to recruit day laborers blew up the vehicle, killing 36 people.
If that’s not scary enough, experts warn that we’re heading closer to a day where terrorists operating from another city might hack into a car’s computer, and the vehicle they choose as a weapon could be yours.
“That target’s in everybody’s garage,” said Dr. Mark Rosekind, administrator of the National Highway Traffic Safety Administration (NHTSA), in a new report from Billington Cybersecurity. He says the sheer volume of devices and data in connected and autonomous vehicles represents a challenge to the automotive industry.
The report urges the automotive industry to adopt tough safety standards, and take cybersecurity cues from super-high-tech industrial giants like Boeing, to create autonomous vehicles that can’t be hacked.
The report also notes that the vulnerability already exists in today’s vehicles, which are more complicated and more advanced than ever before, each carrying an average of 100 million lines of code. As manufacturers make effort to churn out autonomous or semi- autonomous vehicles, expect that number to jump to 200 to 300 million lines in the near future.
In a demonstration of the present danger, white-hat (good) hackers placed a journalist in a Jeep Cherokee to demonstrate how they could take over from a laptop a few miles away.
“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure,” wrote WIRED reporter Andy Greenberg. “That’s when they cut the transmission.”
ISIS is at the infancy stages of cracking the code, but make no mistake about it, cyberattacks are not outside their skillset. In April 2016, ISIS cyberattacked 3,000 ordinary New Yorkers, posted their personal information online and announced, “We want them dead.”
The month before, an ISIS group hacked into the New Jersey Transit Police website and obtained the names, home addresses, phone numbers and working locations of the officers, calling on its supports to carry out lone wolf attacks on the officers.
It is only a matter of time before ISIS– or another terrorist regime – begins attacking the interconnectivity of cars, reigning havoc on all. Reckoning back to the Jeep Cherokee incident, imagine the destruction that could be caused if hackers simultaneously caused each Jeep to fully accelerate, while disabling the steering and brakes. Or consider the resulting damage if terrorists caused the vehicles to start in a people’s garages in the middle of the night, causing their house to fill with toxic exhaust. The scenarios are not that farfetched.
Perhaps ironically, the same day of the Baghdad attack, a bill aimed at helping to improve automotive cybersecurity went off the radar.
Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.), members of the Commerce, Science and Transportation Committee, had introduced the Security and Privacy in Your Car (SPY Car) Act, directing NHTSA and the Federal Trade Commission to establish federal standards to secure automobiles and protect drivers’ privacy.
The bill languished in committee before officially dying when the 114th Congress ended on Monday (Jan. 2).
In the meantime, in October, NHTSA issued federal guidance to the automotive industry for improving motor vehicle cybersecurity. The policy asks developers to control access to firmware, limit the ability to modify security firmware, and control communication to back-end servers so communication between servers and vehicles can be properly secured.
Transportation Secretary Anthony Foxx said at the time, “Cybersecurity is a safety issue, and a top priority at the Department.”
Counter-cyberattack company Security Mentor suggests that auto manufacturers place “bug bounties” on their cars, offering rewards to anyone who can hack into their systems. The company believes that employing emerging hacking techniques is the only way automakers can guard against malicious intent.
So far, manufacturers have been resistant to the idea.
But that’s not to say that auto manufacturers aren’t looking for ways to hack-proof their developing autonomous tech.
In September, Volkswagen announced a partnership with the former head of Israel’s Shin Bet intelligence agency to develop cybersecurity systems for Internet-connected cars and self-driving vehicles.
“To enable us to tackle the enormous challenges of the next decade, we need to expand our know-how in cybersecurity in order to systematically advance vehicle cybersecurity for our customers,” said Volkmar Tanneberger, head of electrical and electronic development at Volkswagen.
As unfortunate as it is, we’re but a stone’s throw from the catastrophic implementation of a cyberattack on vehicles. We can’t wait to create a defense after carnage has occurred. We must act now, and expect the unexpected.
Jonathan Michaels is the founding member of MLG Automotive Law, APLC, which specializes in representing clients in the automotive industry.