More connected cars may mean more hacked cars
aul Guzzo | Getty Images
Cars may be getting smarter, but that doesn't mean they are getting safer.
As vehicles become more connected to the Internet, automakers are failing to take the necessary measures to protect them against cyberattacks, according to a report released Monday by Sen. Edward J. Markey, D-Mass.
Unlike breaches on retailers, banks and other institutions—where the loss could entail a credit card number or some other personal information—a cyberattack on your car could cost you your life.
"I don't want to be hyperbolic about it, but we are connecting computers to things that can now kill you," said Jeff Williams, founder and CTO of Contrast Security. "Cars are potentially a really deadly thing if you lose control. So we are crossing a threshold into a world where you aren't just losing a spreadsheet or a credit card number, you are talking about directly harming people."
More connected cars, more cyberthreats
Increasingly consumers are buying cars based on their level of connectivity, according to a recent study by McKinsey. The study found that 80 percent of car buyers consider connectivity "important" or "very important."
In fact, it's forecast that more than 50 percent of vehicles sold worldwide this year will be connected to the Internet in at least some minor way, and by 2025 it is predicted that every car will be connected in multiple ways, according to the GSMA.
While hacking a car's system has thus far primarily been something "white hat" hackers have demoed to prove that vulnerabilities exist, there's the risk that as more connected cars hit the streets more cars will become targets of attacks.
"From a vulnerability perspective, I think this could become a massive problem," Williams said.
"The vulnerabilities we see today are pretty hard to exploit. Often times you have to get close to a car in order to get onto the local network, sometimes you have to even attach something to the car to exploit these things. But as we move forward, cars are getting more and more complicated, and there will be more ways to get in."
Wireless means more security holes
Sensors, radars, cameras and lasers are all increasingly being built into vehicles to make cars safer and more convenient. Unfortunately, all the new technology also gives hackers more points of entry to gain control remotely.
"We now have lots of wireless access on vehicles. Everything like the tire pressure monitor in the system to the entertainment systems on board used for real-time navigation or streaming. We've got Bluetooth and Wi-Fi and all sorts of things like that on modern vehicles," said Richard Wallace, director for transportation system analysis at the center for Automotive Research.
"All of those allow someone who is not even inside the vehicle to gain access to do something malicious. Even something as simple as accessing your keyless entry system," Wallace said.
For example, some vehicles, including Tesla, have built-in wireless networks that enable the car company to send automatic software updates. While, this seems like a seamless way to issue large amounts of updates to cars' systems, it could also open up a new point of intrusion for bad guys.
"Being able to wirelessly update is great, but it also opens up another potential point for attack. If you can hack the update infrastructure and push your own update into cars then you can take over everyone," Williams said.
While remotely accessing a car to take over critical functions has proved difficult thus far, it's becoming more of a reality.
Just last week a security hole in BMW's system was exposed that allowed security researchers to spoof a cellphone station and send fake text messages to a SIM card in the car's telematics system. From there, the researchers could control the locks in the car.
"If I can unlock your car without a key, what else can I do? If I could figure out how to start the car, I could steal it. And with emerging automated vehicles, maybe you could make the vehicle drive away or smash it into something. These are real concerns," Wallace said.
Privacy concerns
Taking over a car's critical functions is not the only concern. There's also the issue of privacy.
According to Markey's report—which detailed information from 16 car manufacturers including Ford, Toyota and General Motors—there's an extensive amount of driving history data being harvested. This data can include specific location information, like where a car was last parked and distances traveled as well as time.
Nine of the automakers also used third-party companies to collect this data.
In November, the Alliance of Automobile manufacturers and the Association of Global Automakers published a set of voluntary privacy principles trying to limit the use of vehicle data used for marketing.
While Markey's report said that the agreement represents an important step forward by the automotive industry, it also stated that the established principles "continue to raise a number of questions regarding how car manufacturers will effectively make their practices transparent to consumers and provide consumers with rights to prevent sensitive data collection in the first place."
Are automakers doing enough?
Simply put, automakers are not keeping up with the threats facing drivers in connected cars, Markey's report concludes.
According to the report, automakers' security measures are "inconsistent and haphazard." And many of the automakers reviewed by the senator's office didn't even seem to understand questions posed regarding cyberthreats, according to the report.
The industry trade group Global Automakers did not immediately respond to a CNBC request for comment.
Yet it's critical car manufacturer's address these issues sooner rather than later, Wallace said.
"Now is the time to fix it. Before we have so much connectivity and automation in cars that the bad actors have really jumped onto this because it's a target," Wallace said.
Currently, there's not a lot consumers can do to protect themselves from potential hackers, said Carl Leonard, a principal security analyst at the cybersecurity firm Websense.
"Right now, we are reliant on the car manufacturers to make sure they are doing all they can. As a consumer, you can keep your eye on the news for recalls and make sure your software is up to date. Consumers should also be careful when plugging into different wireless networks with their car," Leonard said.
Because an intrusion detection system for cars does not yet exist it's difficult for automakers and consumers to know when a vehicle is under a cyberattack, Williams said.
In fact, the only way a person would know is after it's too late.
"Every one of the systems in your car could fail and that is how you would know you were under attack," Williams said. "There's no way to know and in the worst case scenario you will never know you because you will be dead."
No comments:
Post a Comment
Comments always welcome!