GM, Ford and Toyota are among the automakers cited by Consumer Watchdog using whistleblower informants.
By Kevin Smith, THE LOS ANGELES DAILY NEWS
July 31, 2019
Advanced technologies have greatly improved the functionality of cars, but Internet connections to critical safety systems in the top 2020 vehicles leave them vulnerable to fleetwide hacks, according to a new report.
The study, “Kill Switch: Why Connected Cars Can Be Killing Machines And How To Turn Them Off,” was compiled over a period of five months by Los Angeles-based Consumer Watchdog with the help of car industry technologists. Unveiled at a press conference Wednesday, the report warns that a fleetwide attack at rush hour could disable the brakes, steering or airbags on vehicles, resulting in a 9-11 scale catastrophe with as many as 3,000 deaths.
Automakers have acknowledged that cyberattacks pose a threat as Internet connectivity plays an increasingly bigger role in the operation of vehicles.
“The people who aren’t here today are maybe the most important,” Consumer Watchdog President Jamie Court said. “They are 20 whistleblowers — all car industry insiders, including engineers, developers, people who work for car companies and their suppliers. They are the ones who supplied this report. But they cannot show their faces because if they did they would be fired and their companies would be fired from the supply chain.”
Court said his organization wants to get the word out.
“This report is critical to American security, it’s critical to consumer safety and it’s critical for Congress to understand it,” he said. “These whistleblowers have shown us exactly why the new fleet of 2020 cars are extraordinarily dangerous, can be hacked and are potentially the biggest national security threat that exists today.”
In-vehicle infotainment systems are becoming a standard feature with many cars. They offer luxury, convenience and a host of features that connect the car to cloud data and other Internet-connected services. Many motorists who use these systems on a regular basis likely take them for granted without realizing how they work.
Which vehicles are at risk?
All current new vehicles from General Motors — which account for more than 17% of the industry’s U.S. market share — are at risk, the report said, as are all Toyota and Ford vehicles by 2020. Ninety percent of new cars by Renault-Nissan-Mitsubishi will be at risk by 2022, the analysis shows, while risk factors associated with Honda, Hyundai/Kia, Subaru, Volkswagen and Daimler vehicles are unknown.
Vulnerable connectivity features are specifically noted in vehicles such as the Toyota Camry, Lexus ES, Honda Civic and Subaru Outback, among others.
More than 100 million lines of computer code
Millions of cars on the Internet running the same software means a single exploit can affect millions of vehicles simultaneously, according to the report. That means a hacker with modest resources could launch a massive attack against the nation’s automotive infrastructure, potentially causing thousands of fatalities.
Tens of millions of Internet-connected cars are already operating on the nation’s roads and those kinds of vehicles will comprise the majority of new cars by the end of the year. The report notes that many of today’s cars contain more than 100 million lines of computer code, while an F-35 joint strike fighter jet contains about 9 million.
“Automakers are making things more complex by adding more lines of code,” one of the whistleblowers said in a phone interview Wednesday. “That is a classic security mistake. Security comes from keeping things simple. The more complex you make it, the more someone will be able to get in the back door.”
One of the engineers quoted in the report said cyberattacks could be reduced by maintaining a physical separation between Internet-connected components and safety-critical components.
The report includes disclosures to investors from several automakers, who acknowledge cyberattacks are a real threat. Ford and its suppliers and dealers have already been the target of attacks and more are likely to occur in the future, the automaker said.
“The techniques used for attacks by third parties change frequently and may become more sophisticated, which may cause cyber incidents to be difficult to detect for long periods of time,” Ford said.
Equally disturbing is Ford’s admission that its networks and in-vehicle systems could be compromised “by computer viruses or breaches due to the negligence or misconduct of employees, contractors, and/or others who have access to our networks and systems.”
GM likewise acknowledged that hackers have reportedly attempted, and may attempt in the future, to modify or alter its high-tech systems to change a vehicle’s functionality.
Types of attacks
The report details several types of potential cyberattacks:
- Direct attack: This occurs when a hacker connects directly to the infotainment system over the cellular network
- Vehicle-to-vehicle worm: Malware can spread from one connected car to the next via Wifi, cellular or vehicle-to-vehicle digital communication
- Home base attack: Because connected vehicles communicate with the manufacturer, a hacker who penetrates the corporate network can potentially spread malware to millions of connected vehicles
- Wifi hotspot attack: A malicious hotspot near a busy street or highway could infect many thousands of Wifi-enabled vehicles as they pass within range
- Supply chain attack: Since a complex network of suppliers is involved with most automotive software, there are many opportunities for it to be corrupted with malware without the automaker’s knowledge
- Digital application attack: Any digital app you install on your car is a potential vector for malware and could give attackers remote access to your car’s steering, braking and acceleration
- Mobile device-to-vehicle attack: A widespread phone virus or other phone-borne malware could silently wait for your phone to pair with a car and then transfer malware to that vehicle
The whistleblower, who helps create software used by automakers worldwide, said he initially assumed car companies had adequate safeguards in place to prevent most cyberattacks. When he learned that wasn’t the case, he quickly realized that openly talking about it wasn’t an option.
“There is a career liability involved in asking these questions,” he said. “And the more I dig into it, the deeper the rabbit hole goes.”
Kevin Smith handles business news and editing for the Southern California News Group, which includes 11 newspapers, websites and social media channels. He covers everything from employment, technology and housing to retail, corporate mergers and business-based apps. Kevin often writes stories that highlight the local impact of trends occurring nationwide. And the focus is always to shed light on why those issues matter to readers in Southern California.