How safe are connected vehicles really?

Typography
Features

Drawing upon cyber-attacks gone by, Natalie Sauber of Arcadis questions whether connected vehicles will ever be truly safe, and outlines the steps auto manufacturers should be taking to ensure public safety.

It is estimated that by 2022, the global market for connected cars is expected to growby 270%, with more than 125 million connected passenger cars on the roads.

Numerous advanced technologies come together to progress connected vehicles towards becoming fully autonomous. Connected cars are part of the internet of things (IoT), which can assist with a wide range of potentially useful functions. Advanced sensor technology allows the car to receive real-time traffic updates, as well as collecting weather updates on the go. Similarly, it can receive information on when to make a turn, identify the right speed limit or even assist with smart parking – because let’s face it, we all hate parking.

These applications are designed to enhance the driving experience and open drivers to new possibilities. And just like other IoT systems, connected cars are vulnerable to hacking, data breaches, hijacking and more. 

Is car hacking old news?

Why do we not hear more about car hacking? For the last couple of years, you couldn’t open a newspaper without hearing about a hack. Recently however, it has all gone rather quiet. Has the hacking really stopped? Or have the cars simply improved to be anti-hacking? Unfortunately, no – most auto manufacturers now offer what is called “hacking bounty”, which not only pays good money to the hackers but also stops them publicising their efforts – mostly anyway.

The cars themselves have not really changed; in fact, they are getting more vulnerable. Keyless cars now present a very easy way to hack. The figures shared by the Office for National Statistics (ONS) reveal a whopping 113,037 incidents of ‘theft or unauthorised taking of a motor vehicle’ in the last year alone. 

Most auto manufacturers see security as a roadblock, when really it is an enabler and must be prioritised. No autonomous car will be on the road if it is hackable – think about it, would you let an autonomous taxi pick your kids up from school?

Public safety is at risk

Disgruntled employees or ex-employees are also a great risk to companies and connected cars. They have access to source code information and much other data which, in the “wrong” hands, can be very dangerous. We’ve already seen a number of high-profile incidents taking place, including when a disgruntled former Tesla employee made changes to manufacturing source code and exfiltrated sensitive data to outsiders.

The headline news of such hacks is disturbing as they represent a threat toward human life. One hack could take the lives of not just a driver and their passengers, but also pedestrians, bystanders and other drivers on the road. Of course, there is also the financial impact which could run to billions of pounds.

Impacts of cyber-attacks

The impact of cyber-attacks on connected cars can range from theft to data breaches, location tracking and fraud. However, the most common is unauthorised control over car systems through access points via infotainment systems, a USB connection, Bluetooth connection and of course its cellular network. There have even been incidents where hacks have been carried out via tire-pressure monitoring systems. Not only do the car’s internet-connected systems need to be secure, but so too do the internal networks that run within the vehicle.

Cyber-attacks like these, which involve the physical elements inside the car, are worrying. These can be split into low physical risk (i.e. unlocking doors) but can also have far wider reaching consequences impacting human lives – only imagine what might happen at high speed when the vehicle is moving!

It is not just the vehicles which are at risk. The entire ecosystem of smart mobility companies is at risk from cybersecurity vulnerabilities. While car manufacturers are an obvious target, Tier 1 suppliers, telematic service providers, fleet operations, car sharing companies and public and private transportation providers are facing an ever-increasing threat. Even companies that operate commercial ride share fleets are open to fraud attacks. At the end of last year, Uber was fined £116 million for failing to notify drivers that they had been hacked back in 2016.

The rise of Bug Bounty Hunters

In 2018, GM invited a handful of researchers – commonly dubbed “white hat” hackers – to find loopholes in its vehicles in an effort to find and fix any insecurities. In 2016, Tesla offered between US$100 (£78) and US$10,000 for every bug found in its software, depending on the severity of the breach and its potential ramifications.

Connected cars have already been successfully hacked. In reality though, these attempts pale in comparison to what is happening in other technology sectors. There is a strong consensus that auto manufacturers have so far stayed ahead of potential attacks, but we don’t know for how much longer.

At the moment, automotive hacking has not been that lucrative in terms of financial gain. Of course, as we get more connected vehicles on our roads, the threat of cyber-attack is only set to increase.

But the industry is fighting back. More than 30 companies have joined to form the Auto-ISAC (Information Sharing and Analysis Centre). The ISAC is devoted to tracking, sharing and fighting back against potential cyber threats. 

Will connected cars ever be safe? 

Yes, but it will depend on significant investment from auto manufacturers. We also need to see a cultural shift whereby people are more prepared to spend money to protect their own data. Security concerns will always be an issue but, with a collaborative approach across the entire industry, it will be possible to deliver a safe, efficient and accessible way forward for connected and autonomous vehicle for all.