A few years ago my car was stolen. It was a truly horrific event that still makes me triple-check that all the doors are locked and the alarm is set each time I park. I’ve also experienced having my credit card compromised, my website and Twitter accounts breached, and my checking account hacked, resulting in a federal investigation. Now I have to worry about my car getting hacked too?
The possibility of hacking cars raises all kinds of new questions and fears:
- What if they remotely hack the car and cause the brakes to fail?
- Whom do I call when my car’s computer system gets a virus?
Before you become as paranoid as me, let me break down car hacking a little to better so we can understand what we’re up against.
Smart cars and their security risks
Considering how tech-aware consumers have become, car manufacturers are striving to keep up. Smart cars are more like computers on wheels today than they were just a few years ago. Fully self-driving cars will not be officially released onto public roads for a few more years, but many car makers are already including advanced assisted driving features in current models. Hence, computing power and the nature of connectivity now require that cars be treated much like our PCs and smartphones. As cars continue to advance in capability, so too will the potential for security holes and hackers trying to exploit those vulnerabilities.
Guidelines for protecting cars from hacking
The recommended steps for protecting cars will sound familiar to any security-minded PC user:
- To ensure safe and stable vehicle operation, car owners need to maintain the latest software or firmware updates.
- Never install devices or applications that have not been approved by the automaker or even device makers such as Google and Apple.
- Drivers should always be wary of any physical tampering done to the automobile. Many hacks currently require physical access to the vehicle, which can be attained via unauthorized repairs or modifications by mechanics. Even the seemingly harmless action of inserting a foreign USB stick into the dashboard can be dangerous because it could carry malware that can infect vehicle diagnostics and control.
- All US vehicles built since 1996 are required to have an Onboard Diagnostic System II (OBD-II) port and be physically compliant. This requirement also means that the OBD-II connector under the steering column on all vehicles could be used as a physical conduit to load malware onto the vehicle. Therefore, it is important to lock the vehicle at all times and note any suspicious behavior after having a car serviced. In a recent Federal Bureau of Investigation (FBI) warning, all motorists are to report any problems that may be associated with car hacking.
Manufacturer-ensured safe vehicles
Just as car owners need to be security conscious, vehicle manufacturers also need to treat their products and services as they would treat their own secured computer networks. Within any moderately sized company, performing security assessments and penetration tests regularly are vital to expose vulnerabilities within networks. The same holds true for vehicle manufacturers; they need to ensure their vehicles leave the factory with no known security flaws.
Doing so enables vehicle manufacturers to certify their vehicles are safe from hackers. And because carmakers partner with and purchase from component manufacturers from so many different sources, they need to also ensure these sources have security and safety at the top of their priority lists. No car manufacturer would risk putting defective tires on any of its models, and, similarly, all car makers should ensure that dashboard software is without security flaws.
The balance between vehicle innovation and security
Modern smart cars are both entertainment centers and, essentially, computers on wheels in which we entrust our lives. The demand for these connected services will always push for the latest technology, but security efforts should also push back. As hackers are increasingly drawn to vulnerabilities found in cars, these same vulnerabilities will expose automakers that are lax on security and not proactive about security practices.
In the same way that Volvos have a good reputation for road safety, car manufacturers of the future are likely to be judged on their ability to apply cyber security standards to their vehicles to keep drivers, passengers and everyone safe. Consumers need to investigate features such as cyber security standards and software patch frequency along with other choices such as miles per gallon (MPG) and horsepower ratings when shopping for a car.
Aftermarket accessories such as vehicle diagnostic devices need to be manufactured and installed by trusted sources. And vehicle operating systems should be installed and updated by authorized parties only. Treating a new car like a new computer is the best way to keep it safe for everyone on the road.
The potential for cybersecurity standards
The next time you start your car, remember all the technology and connectivity that goes into your driving experience. With so many possible points of failure, keep in mind that the latest technology often goes through the least amount of testing. At a minimum, the National Highway Traffic Safety Administration requires every vehicle sold to pass a barrage of safety tests. However, currently no cybersecurity safety standards exist that require any vehicle to undergo testing—only national alerts are made. Until car makers and lawmakers converge on a cyber security standard, we must avoid security compromised smart cars in the same way we avoid those muddy puddles and potholes.