When fraudsters targeted the Car2Go app-based vehicle-sharing service in Chicago in April, more than 70 vehicles were taken within a few hours.
The vehicles were subsequently recovered, and it proved to be a case of fraudulent activity rather than a hack. Share Now, the joint venture between carmakers BMW and Daimler which includes Car2Go, has since enhanced the verification process for new accounts created in North America. But the incident highlighted the growing risk of attacks on connected cars — especially as the industry looks towards an automated future.
Whereas a wrongdoer gaining access to an ordinary laptop can steal data or render a computer useless, a vehicle in the control of criminals could theoretically be used to cause not only gridlock but the injury and even death of passengers and pedestrians.
The threat has not yet reached such extremes but automotive security breaches are prompting rising concern. Upstream Security, which monitors cyber attacks on connected cars, lists more than 260 worldwide since 2010.
The number is growing, says Dan Sahar, vice-president at the company. So far this year, 71 car cyber attacks have been recorded compared with 73 for the whole of 2018.
In the past, cloning electronic keys has been the most common way of gaining access. “But now that cars are more connected, with technologies such as WiFi and 3G, 4G, 5G, hackers have multiple ways to get in,” says Mr Sahar.
More than a quarter of attacks exploit cars’ cloud servers or mobile apps. A quarter of the attacks have resulted in theft and about the same proportion has enabled control of car systems, according to Upstream’s data.
The industry is aware of the risks and has begun to incorporate cyber security from the earliest stage of design. Traditionally, safety and security in the automotive sector were treated as two separate disciplines in different parts of their organisations, says Justin Lowe, a security expert at PA Consulting. “Now they are starting to move together,” he adds.
Hackers are attracted by the increasing amount of personal data captured in the electronic systems of cars and servers connected to them. These range from contacts, emails and ID numbers to drivers’ musical preferences, their weight, the journeys they have made and the destinations they have visited. “All this increases the incentives for hacking,” says Siraj Shaikh, professor of systems security at Coventry University’s Institute for Future Transport and Cities.
The industry is aware of the need to tackle this problem, says Cesar Cerrudo, chief technology officer of IOActive, a cyber security company, which highlighted the dangers in 2015.
An article in Wired recounted how two researchers seized control of the wheels and pedals of a Jeep Cherokee, made by Fiat Chrysler, causing the car to run itself into a grassy ditch — demonstrating the deadly potential that could arise from hacking moving vehicles. The incident led to a recall of 1.4m cars.
IOActive is helping carmakers avoid such risks by implementing different levels of access to applications and processes within car electronic systems. This “privilege separation” prevents hackers, who compromise part of the car via Bluetooth or WiFi, from moving to other systems and even taking control of the car.
Karamba Security, an automotive cyber security company, is working with manufacturers to stop factory settings being altered in real time. David Barzilai, its executive chairman and cofounder, says: “Rather than trying to spot suspicious software commands, which is the conventional approach to computer security, the car will just ignore a command that jumps outside a predefined function.”
The only changes allowed are from the system provider. “Cyber criminals will find this very hard to hack,” says Mr Barzilai. The technology will be in cars within two years, he says.
Much of the innovation in the sector is being driven by independent companies rather than regulators. The automotive industry lacks mandatory standards on cyber security but there are various governmental initiatives.
In 2016, SAE International, a professional body for car and aerospace engineers, published guidelines for automotive cyber security to help with secure design and testing. It is trying to turn these into a global standard.
The UN Economic Commission for Europe (UNECE), a regional body set up to promote economic integration, has a task force working on recommendations for cyber security in the automotive industry.
“This has the promise to grow into some mandatory compliance on design and secure operation of vehicles, but it is still work in progress,” Professor Shaikh says.
The US and EU have published guidelines with the aim of influencing the way self-driving cars are developed, regulated, and policed. Compliance, though, is voluntary. “Given that vehicle cyber security is still a new issue relative to safety, we will see more examples of legislation, regulation and technical standards emerging,” says Prof Shaikh.
Carmakers may also need to get used to a customer relationship that lasts far longer. “Whereas a traditional petrol engine car can still be happily driven around after the manufacturer has stopped supporting it, connected vehicles will need ongoing support for their electronic systems,” says PA Consulting’s Mr Lowe.
“If someone finds a bug or vulnerability in the code or in the component systems, that will need to be fixed or protected against.”
The industry has yet to address questions such as what happens if electric vehicle manufacturers go out of business. “Who takes up the maintenance of that code?” says Mr Lowe. “Would those cars just stop or remain vulnerable?”