Your Car Could Be Hacked Right Now. Should You Care?
This is no longer a future problem.
It sounds like a plot straight out of a 1960s science fiction B movie: mastermind villains find a way to take control of the computers that are omnipresent in futuristic cars, sending them all careering into lampposts, buildings, and each other.
The horror! It’s a reign of terror! What do they want from us?!
Well, there’s good news and bad news.
The bad news is that this is far from being a future problem that we’ll only need to grapple with once cars are driving themselves autonomously. Hacking is a potential problem in today’s cars, and it’s an issue that’s here to stay.
“This stuff exists already,” says David Masson, Canada Country Manager for cyber defence company Darktrace. Masson also spent two decades in senior roles in military, diplomatic, and civilian organizations, including the UK Ministry of Defence, the Royal Auxiliary Air Force, and Public Safety in Canada.
“There are already internet-connected vehicles – not necessarily the whole vehicle, but parts thereof. And if you’re internet-connected, then you can be hacked.”
A Clear and Present Danger
Modern cars are becoming increasingly connected, whether through more complex cloud-based computing systems such as those already in use by Mercedes-Benz’s MBUX and the latest General Motors infotainment platform, or more simply by allowing devices to surf the internet via on-board Wi-Fi hotspots or connecting to dealership Wi-Fi networks to download system updates. The threat potential in vehicles equipped with these services is more in line with what drivers are used to seeing as a traditional conduit for hackers, making it a more present and identifiable issue.
However, Masson says that while these sorts of systems are not yet widespread, most of today’s cars have some sort of computer on board, and people don’t necessarily give much thought to the creative ways that hackers might worm their way in.
“There are lots of ways that bad stuff can get into your vehicle,” he says. “When I put (a car) in for service, the garage guys plug into the computer. You have to physically plug into the computer, like putting a USB stick in if you like. Obviously, quite soon they won’t have to do that. They’ll be able to access the computer by the internet, which means they can access all the (car’s on-board) sensors by the internet and you can start playing around with various things.
“And how do I know that the guys in the garage haven’t been hacked? Maybe their systems aren’t particularly clean, and then they connect with my vehicle and I get all their malware.”
Masson adds that the threat to a vehicle can come from even further outward, such as through hacks into the equipment that’s putting the cars together.
“You see a car plant and you see all the robots doing the welding,” he says. “A lot of these industrial systems were not designed with security in mind. They didn’t have to be because they weren’t connected to the internet. But increasingly, they are being connected to the internet, and they’re quite vulnerable because of it.
“Somebody could get in and hack, and instead of a spot weld being in contact for three seconds, they change it to two seconds. That weld is not safe anymore, and maybe your door will fall off your car. Or, somebody fiddles with the chemical compounds in winter tires, and all of a sudden, a whole batch of tires shreds. That is a potential threat.”
Or Maybe It’s Not About You
We tend to think of car hacking as being personally nefarious in intent – someone wants to change my radio stations on me or, worse, drive me into the aforementioned lamppost. But here’s the good news: Masson points out that an awful lot of hacking happens sight unseen with the victim unharmed, just to amass a wealth of computing power.
“It could be simply because they want the computing power of your car to go mining for Bitcoin,” he says, “or maybe they want your car and all your sensors to take part in a DDOS attack somewhere else.” (DDOS stands for Distributed Denial of Service, the term for a coordinated attack on a website or network that floods it with data and causes it to crash.)
Who Will Save Us?
As the threat potential of car hackers unfolds and enters public awareness, people are beginning to ask: whose responsibility is it going to be to ensure that our cars remain safe?
“There are armies of lawyers ready to decide that for us,” Masson says.
His view is that the nature of the automotive business is going to put a great deal of the responsibility directly into the hands of the automakers.
“You’ve probably heard the expression ‘you’ve got to patch your systems,’” Masson says. “The reason (programmers) brought out patches is because they designed so quickly that they didn’t realize there was that vulnerability, and then they find the vulnerability and now are trying to fix it afterward.”
“When you’re patching a system, it’s probably because there’s been a victim, somebody got hacked into and discovered something is wrong. So, you need victims before you get solutions. I would suggest we can’t really run that risk in the auto industry.”
“I would think auto manufacturers are going to be trying to make sure that you don’t have to patch vehicles so often because you’re trying to identify all the vulnerabilities at the first stage: security by design, if you will. So, ignorance probably won’t be a defence should something go wrong.”
Plus, Regulation is Coming
At the same time, governments are beginning to see the gravity of what can happen when digital freedom falls into the wrong hands, and regulation is beginning to take shape in parallel to automaker efforts.
“In the cyber world in general, the sheriff is coming to town,” Masson says. “The cyber world has been the Wild Wild West for too long. We’ve seen lots of issues, and legislation is arriving pretty quickly.”
Earlier this year, the European Union Cybersecurity Act was approved by the European parliament. Closer to home, the Canadian Centre for Cyber Security was established last October.
“This is all happening right now,” Masson says. “It’s not in the pipeline. It’s happening right now. And there will be regulations and standards that have to be set.”
But You Have Some Responsibility, Too
No matter how much automakers and governments might accept their role in public safety and security, there’s a great deal of control that will always filter down to the individual. Masson says that the time is now to understand the inherent vulnerabilities that our cars possess and to start asking different questions when buying new vehicles.
“Last time you bought a vehicle, you probably looked under the hood and kicked the tires,” he says. “How about next time you ask, when was it last virus-checked? Or, is the car connected to the internet? If it is, can I disable that internet connection?
“This is not something people ask in a car salesroom right now, but you’re pretty much going to have to do that.”
Am I Really in Danger?
This all seems primed to trigger a War of the Worlds-style widespread panic. Should we really be all that worried?
Masson says that the likelihood of a real-world catastrophe is currently low, but it’s never a bad idea to take this information under advisement.
“Is some evil genius somewhere really interested in hacking your vehicle? Probably not,” he says.
“But at the end of the day, it’s never up to us, the potential victims, to decide whether we’re worth watching. It’s always up to the bad guys to make that assessment. And if they think you’re worth it, they’ll do it.”