In a 2014 interview with CNN, Tesla Motors CEO Elon Musk said that “autonomous cars will definitely be a reality.” Almost every year since then, Musk has proclaimed that Tesla’s self-driving cars will be out soon. Musk’s predictions have not yet borne fruit. However, innovations are continuing apace, which is great news.
The not-so-great news is that security issues have also emerged in autonomous vehicles and digitized cars in general. These issues have caught the eye of governments, regulators, and even the general public, and created a need to consider automotive innovations with a pinch of salt. Here’s why.
Known Security Risks in Digitized Vehicles
Modern vehicles are powerful and highly digitized computers equipped with high-end hardware, software, and wireless technologies. These innovations make driving a smooth and unique experience for millions of drivers worldwide. However, these same innovations also have security issues that can make driving a nightmarish experience. Exploitable vulnerabilities, open back doors, and lax security protocols create opportunities for threat actors to hack into a digitized car and create all sorts of problems.
For instance, they could compromise the vehicle by loading malware or ransomware into its operating system. In 2019, the U.S FBI issued a Private Industry Notification (PIN) stating that malicious cyber actors had stepped up their ransomware activities against the automotive industry since 2018. In addition to ransomware, other attack vectors allow threat actors to exploit security blind spots in modern automobiles, including email-based phishing attacks, brute force attacks using stolen credentials, insider threats, leaked databases, and open ports.
Remote keyless systems are also a source of vulnerability in digitized and self-driven cars. In 2020, a researcher at the University of Leuven in Belgium discovered numerous vulnerabilities in the Tesla Model X keyless entry system. Attackers could exploit these vulnerabilities by using a modified key, a low-cost computer, and the car’s body control module (BCM) to hijack the vehicle’s Bluetooth connection and then use it to unlock the car, take over its functions, and even drive it away.
The privacy risks of digitized vehicles — both to user data and users themselves — also cannot be ignored. Many of these vehicles collect information about car owners and their locations, usually for authentication, safety, settings customization, or navigation purposes. But if threat actors manage to get their hands on this data, they may be able to track the driver and their location without the latter’s consent or knowledge. Clever hackers may also be able to access information about trips that the vehicle owner wants to keep private, and then use it to embarrass, blackmail, or stalk that person — and even to cause them physical harm.
Security Problems Created by Cellular Connections, Apps, and Dark Web Tools
Digitized, Internet-connected cars are also susceptible to cellular-based remote attacks. In 2015, security researchers Chris Valasek and Charlie Miller demonstrated exactly how threat actors could take control of a connected car via a cellular connection. All the bad guys would need is 3G bandwidth, a smartphone, and a laptop. With these simple building blocks, they could shut down the car’s engine, steal its data, and manipulate its navigation system to send the driver to the wrong location. They could even make the brakes stop working, seriously jeopardizing the driver’s health and life.
Remote “carjacking” has become even easier now for financially-motivated attackers, state-sponsored terrorists, and groups engaged in corporate espionage. These malicious actors can easily access hacking tools, services, and tutorials on the dark web to attack cars via key fobs, diagnostics systems, and mobile apps.
Another security worry is that modern cars are equipped with numerous Internet-connected apps — which smart attackers can reverse-engineer to manipulate the vehicle’s engine, brakes, GPS, and more. They can even create faux applications that give them full control over the car’s systems.
The Need for Stronger Security in Digitized Vehicles
Increasing digitization increases the number of attack surfaces that allow cybercriminals to author new attacks, manipulate functions like brakes, get backdoor access to enterprise networks, and steal vast quantities of valuable data. Also, more specialized tools will become available on the dark web in the future, so we might see even more attacks launched via infotainment systems, wireless tire pressure sensors, charging stations, and key fobs.
To keep up with these new risks, carmakers must be more aware of the security risks to their digitized vehicles. They must also upgrade their security practices. At the very least, they must constantly test their hardware and software for vulnerabilities, and act early to patch them. They must also implement multi-layered security defenses with stronger passwords, multi-factor authentication (MFA), intrusion detection systems, and lockout policies. Data encryption is also vital, both for sensitive trade secrets and personal customer information.
A deliberate “privacy by design” approach is also vital when designing digitized and autonomous vehicles to protect user data and physical safety. Endorsed by the U.S. Federal Trade Commission (FTC), the approach enables carmakers to build security into their vehicles right from the outset, and safeguard users’ personal information and safety from harm.
Manufacturers should also comply with globally accepted cybersecurity engineering standards for road vehicles, such as ISO/SAE 21434:2021, when designing, developing, operating, and even decommissioning a vehicle’s electrical and electronic (E/E) systems. Complying with the standard’s requirements allows carmakers to manage and minimize the cybersecurity risk in their products.
Tech companies also play an important role in securing connected cars and protecting vehicle owners (or drivers) from harm. For instance, chipmakers must secure their chips — part of cars’ computers — with features like secure booting and secure key storage. They must also leverage verification techniques during chip design, implement robust post-production testing protocols, and take steps to prevent data exfiltration — all of which can help minimize a vehicle’s security and privacy risks.
Rapid technological advances in the automotive industry are a cause for celebration, with Internet-connected vehicles and self-driving cars promising to enhance drivers’ experiences. However, digitization also creates security issues that hackers can exploit to take over vehicles and endanger drivers. The time to address these issues is now. Only then can the world realize the benefits of automotive innovation — and make cars safer for everyone.