Connected Cars Race to Market, Raising Cybersecurity Fears

Hackers like to say internet-connected cars are like smartphones on wheels. These days, some of them even update software “over the air,” like your phones do. But phones don’t weigh thousands of pounds or travel at potentially lethal speeds on the regular. By 2022, it’s estimated that two-thirds of all new cars will feature such connected systems.

Already, a cottage industry has sprung up to meet burgeoning demand for white hat hackers — game for a price — to help automakers identify vulnerabilities before black hats do.

"A very good defense is a good offense, right?" asked David Baker, chief security officer and VP of operations for Bugcrowd in San Francisco. Like the name suggests, Bugcrowd helps curate auto industry crowdsource solutions from a relatively small number of hackers who know how to help.

Automakers cover the cost of Bugcrowd's listing management as well as the rewards for identifying bugs. Payouts range from $5,000 for identifying a relatively minor bug to many multiples of that for something critical.

It might give you some comfort to know Baker says car hacking is relatively complicated and expensive compared to other forms of hacking, because it involves access to and familiarity with car parts.

"That's a little bit more of an attack surface than typically you would have just from electronic or wireless access. We have researchers that have the dashboard of a Tesla sitting in their living room," he says.

But it doesn’t take a paranoid person to imagine it’s just a matter of time before cheat sheets are available for sale on the dark web.

At a press conference ahead of several major cybersecurity confabs this past summer, Jamie Court with the Los Angeles-based Consumer Watchdog warned, "Hackers tell us it's just a matter of money. It could be hundreds of thousands of dollars. It could be millions. But you know what? A hostile government has that kind of money."

In an effort to force a more public conversation about automotive cybersecurity, the non-profit released a report called "Kill Switch: Why Connected Cars Can Be Killing Machines and How to Turn Them Off.”

"Car companies are selling connected cars on the basis that you can turn your car on with your cellphone and get the air conditioning running on a hot day. Well, if you can turn your car on and get the air conditioning running with your smartphone, someone else can access your smartphone and shut your car down in the middle of the highway at rush hour," Court said.

Nothing like that has happened (that we know of), but since Wired magazine first detailed a spine-tingling Jeep hack in 2015, killing the engine while the reporter was in the vehicle on a freeway, there has been a steady dribble of similar headlines showing the progress hackers are making.

Just a few days ago, Wired published an article about another exploit: Hackers Could Steal a Tesla Model S by Cloning Its Key Fob—Again. Tesla quickly fixed the problem with an over-the-air software update. Techno cognoscenti point out that's faster and cheaper than a recall involving a physical trip to your local dealership. But they add the phone/car comparison has its limits.

"In a smartphone, we have maybe two, three, four CPUs. In a vehicle, we have 100 different electronic control units manufactured by dozens of manufacturers," said Assaf Harel, chief scientist at Karamba Security, an Israeli company with offices in Germany and the U.S.

"It's like the Babylon Tower, with different vendor competitors," Harel added, referring to the Bible story in the book of Genesis that functions as an origin myth explaining why the world's people speak different languages, unable to understand each other.

The Alliance of Automobile Manufacturers, which represents 12 of the majors worldwide, says the companies are all partnering with public and private researchers to share tips and codify standards. Regardless of whether and how regulators step in to direct that conversation, Harel said automakers have simply joined a growing number of industries forced to see up-to-the-minute cybersecurity as the cost of doing business.

"That will elevate the level of cybersecurity in the vehicles, in airplanes, in medical devices, in many other deployments, to a state where it just doesn't make sense for cybercriminals to look that way," Harel said. "They have much easier low hanging fruits to tackle."