Andy Greenberg was driving 70 mph (112 kph) on a highway in St. Louis, USA when his car’s radio suddenly blared and windshield wipers started moving – without him doing anything. “I can’t see anything,” he said laughing. The journalist for “Wired” magazine knew he was a guinea pig for Charlie Miller and Chris Valasek, who were remotely controlling the Jeep Cherokee with a laptop. But Andy didn’t think it was so funny when the two security experts managed to cut off the motor – right as he was barrelling down the motorway.
The cyber-attack on the Jeep Cherokee in July 2015 caused a big stir in the media, showing just how quickly people’s lives could be put at risk when hackers target connected cars. Automotive IT security has become crucial to ensuring driving safety. And its importance will only increase in the coming years, as driving becomes more automated.
So far, most of this car hacking has been done by so-called white and grey hat hackers – that is, by hackers with no intention of actually harming car passengers. Instead, they want to point out IT weaknesses or simply raise their standing in the hacking world by doing so. But as more cars become connected, it will increase the potential for them to become the targets of remote attacks by cyber criminals. They might try to steal vehicles – and not even need a crowbar to get inside. They could also disable a car’s electronics and demand ransom from the manufacturer. Or perhaps they just want to tap into a car’s SIM card to surf the Internet for free or download illegal materials.
Facing the threat together
The automobile industry has recognised the threat, but is still only beginning to take precautionary measures. A study by management consultancy McKinsey found that 75 percent of automotive managers had no strategy to combat a cyber-attack on a connected car. Moreover, there are no clear guidelines for the changing car security requirements. In Germany, with its important automotive industry, legislation for IT security merely touches upon them. But representatives from the industry, IT experts and scientific community have joined together for the initiative AUTOSAR and the EU project EVITA, in order to hammer out standards for control device software and secure onboard networking.
Perhaps it’s first necessary for original equipment manufacturers (OEMs) and automotive parts suppliers to rid themselves of their tendency to protect their know-how at all costs. They will now need to share their knowledge related to vehicle security if they want to stay ahead of the cyber criminals. While attackers can focus on the weakest aspects of a connected car, OEMs have to mount a broad-based IT defence. Some carmakers are following the example of Google and Facebook, as they ask hackers for help: Tesla and Fiat Chrysler, for example, have introduced “bug bounties” to encourage hackers to point out potential technological threats.
Going beyond the car
But how exactly a digital protective shield for cars looks like? “When industry decision makers think about information security, they normally focus on in-car systems as the most vulnerable spot,” wrote the consultancy PwC in its Connected Car Study 2015. “But the threat goes far beyond the surface of the dashboard.” IT security measures have to include the entire telecommunications infrastructure of a modern car: Onboard networks and control devices, wireless communication and backend applications at the data centres of carmakers.
That also means data security and privacy have to become a fundamental part of car development and design along with fuel efficiency, aerodynamics and engine performance. And this applies to both the big carmakers as well as their hardware and software suppliers that exchange data with manufacturers and their connected cars. For example, the carmaker would have to stipulate how suppliers secure the software of control devices.
Driverless cars require IT security
The automotive industry still has some work to do to assuage the concerns of drivers. The Jeep Cherokee hack in June 2015 was followed by other cyber-attacks, most of them via the car’s infotainment system. The effect on potential car buyers is dramatic: According to a KPMG survey from August 2016 , 82 percent of US consumers would refuse or would be reluctant to buy a car from a company than had experienced a hacker assault on its vehicles. The impact on the future of the automotive industry is clear: Autonomous vehicles can be only successful when carmakers manage to convince drivers and passengers that their data is secure.
Do you want to know which security measures are necessary for connected cars? Download T-Systems’ white paper on the topic here.