Modern cars have become increasingly smart and are now stocked with hundreds of embedded processors, software applications and connectivity devices. An average car now has more computing power than the whole of the Apollo moon-landing computers put together, and so cars are no longer simply cars anymore – they are digital computers on wheels.
An estimated 55 million smart or ‘connected’ cars were produced last year, and the European think tank IDATE predicts this number will increase to a total of 420 million by 2018. Connected cars offer endless opportunities for innovative features and services, such as point of interest navigation, Wi-Fi hotspots, and music and video streaming, which in turn increases OEM revenues. However, as modern cars become ever more sophisticated, the greater is the risk of vulnerability to cyber-attacks.
Although to date there have been no ‘real-life’ occurrences of a cyber-attack or car-hacking event on a car, there have been numerous recent reports and incidents of researchers and ‘white hat’ hackers who have gained access and control of a car’s systems using relatively simple techniques. An attacker may exploit vulnerabilities in a car’s infotainment system or exploit the telematics system and wirelessly compromise the car. Indeed, researchers in Germany hacked BMW’s telematics system, which allowed the windows and doors to be locked and unlocked, leading the company to issue a software patch for an estimated 2.2 million cars. Also, a recent DARPA funded demonstration allowed a hacker to take control of a car, enabling him to steer, accelerate, brake and turn off the engine while the car was in motion. While more recently, Fiat Chrysler Automobiles recalled 1.4 million cars to address a software issue that allowed a hacker to wirelessly control a Jeep’s brakes and transmission via the car’s entertainment system during a test event.
In another ingenious hack, demonstrated in an off-road environment, attack data was sent via digital audio broadcasting (DAB) radio signals to the car’s DAB radio, which allowed the brakes and other critical systems to be remotely controlled.
These incidents illustrate the very real threat car-hacking poses to modern cars and just how seemingly unprepared the automotive industry is to ward off would-be hackers.
Last year, a US Senator released a report which detailed major deficiencies in how car manufacturers are incorporating security into connected cars. The report noted that only two of the world’s 16 major car companies had developed any capability to detect and respond to a hacking attack in real time. The same Senator is now pushing for legislation that will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.
The hacking community has been quick to exploit the potential flaws in car security, not for immoral purposes but rather to highlight the risks to manufacturers, in much the same way hackers have assisted the IT industry in identifying security issues in servers and software. However, the automotive industry wants the US Copyright Office to deny an exemption to the Digital Millennium Copyright Act which the white hat hackers are now seeking. The exemption would protect the white hat hackers, also called security researchers, from legal actions for infringing intellectual property law when they investigate car computer systems, looking for weaknesses that could make the vehicles vulnerable to malicious hackers.
Opponents and supporters of the exemption have spent the last year submitting written comments and finally met earlier this summer to argue their case at a Copyright Office hearing.
Automotive software is, by nature, copyrightable content. The mere fact that automotive software has practical uses does not negate car manufacturers’ and suppliers’ rights to protect access to, or to prevent others from using that content. As copyright owners, manufacturers are not unlike other owners of different categories of copyright works, and must not be assailed for seeking to protect competitive advantages arising from those works.
Proponents of the exemption argue that, although manufacturers may not like it, they need white hat hackers who act independently to discover and disclose computer flaws before they can be exploited. The threat of a copyright action, or worse, stymies that vital work, they say. It is expected that a decision on the exemption will be available by October of this year.
However, is it fair to say that the automotive industry is still stuck in neutral gear regarding its response to this new threat? Well maybe not, as there are recent signs that the industry is now beginning to wake up to the increasing possibility of cyber-attacks. Indeed, Dieter Zetsche, Chief Executive of Daimler, has warned that defending car systems against such attacks has become “essential”.
Toyota is also apparently developing firewall technology to prevent remote access to its vehicles, while Ford has commented that they are now working continuously to ensure that “all our electronic systems have robust security protocols”.
British Telecom has also announced a so-called “ethical hacking service” to test exposure of connected cars to cyber-attacks, and Southwest Research Institute is overseeing a consortium, with selected partner automotive OEMs, to investigate the threats further. Moreover, there are an increasing number of third party suppliers who are now patenting innovative technologies that scan all traffic in a vehicle’s network, identifying abnormal transmissions and enabling real-time responses to threats. As cyber threats are dynamic in nature, software patches can be deployed using secure cloud servers and real-time Over-The-Air (OTA) updates.
As the white hat hackers warn, “We’re in a race against time to combat this threat”. However, David Drescher, CEO of Mission Secure, a cyber security company, believes automotive OEMs are actually spending a lot of money on this now, but he agrees that “…it’s a complex issue and not easily solved. It will be a long road.”
So the message is clear, the fight to protect your car’s security has just begun.