Given the exponential rise in security breaches and hacking activity in past few years and the almost constant headlines in the press of yet another major security breach, information security should be a front burner issue for every business. While the auto industry has, for the most part, avoided being a primary target for hackers in the past, having only faced research demonstrating “possible” attacks, that is likely to change in the near future. There are four reasons for that change:
- Big Data. Carmakers, dealerships, and their suppliers and vendors have developed extremely large databases of consumer information, ranging from customer preferences, to financial information, to driving statistics, to location-based data. These huge databases make tempting targets for hackers. They are also drawing the attention of regulators who are increasingly viewing dealerships as financial institutions in terms of the magnitude of personal consumer information collected in their finance and insurance departments.
- Connected Nature of Cars. Industry studies show that by 2017 more than 60% of new vehicles will be connected in some way to the internet, making them part of the “Internet of Things.” Many automobiles have wireless connections to the internet via Bluetooth and wireless hot spots through cellular connections. In addition, cars now feature a multitude of applications that can be accessed and controlled by a driver’s smart phone, which, itself, connects to the internet. These connections may pave the way for a hacker to gain control of car’s systems and data. This is not fantasy, but fact. Researchers at the DEF CON hacker conference recently presented evidence of how they were able to hack and take control of the electronic smart steering, braking, acceleration, engine, and other functions of several types of vehicles. This follows similar research several years ago conducted by the University of Washington and the University of California-San Diego, where various functions of a car were compromised using Bluetooth, modified CDs, and other techniques.
- Automotive Complexity. The volume of programming in a modern car is staggering. Programming is typically measured in “lines of code” (LOCs). For example, a pacemaker may have about 80,000 LOCs. The original space shuttle had about 400,000 LOCs. Only a handful of technologies have in excess of 100 million LOCs: the total DNA of a mouse, the code for the ill-fated Healthcare.gov website, and the software in the average high-end automobile. A study at Carnegie Mellon University showed that, on average, commercial software contains between 20 and 30 bugs for every thousand lines of code, meaning the software in an automobile could have 1 to 2 million bugs that could be exploited by a hacker.
- Interconnectivity of Carmakers, Dealerships, Suppliers, Vendors. In addition to the foregoing, the systems used by carmakers in the design and manufacture of their vehicles, systems on which maintenance information is stored, systems maintained by dealers and their respective vendors and suppliers, etc. are all vulnerable to attack. This is particularly so in the context of the interconnections between and among those systems and the continuing trend to place many of those systems in the “cloud.” The interconnected network of all those systems is only as strong as its weakest link. If one system is compromised, the others may fall. Hackers routinely exploit this exact interconnected nature of complex systems to compromise a week outlying system and leverage it to gain access to far more heavily secured systems.
Just as the retail and oil and natural gas industries have done, the auto industry is moving to create an Auto ISAC (Information Sharing and Analysis Center) to address information security issues. That is an important step in mitigating security risks. Another is ensuring directors and officers are appropriately educated regarding information security risks. To assist in that effort, our firm has created a white paper, entitled “Taking Control of Cybersecurity: A Practical Guide for Officers and Directors.”