By Alan Ohnsman, FORBES
July 31, 2019
Automakers are layering new vehicles with a range of web-enabled features, from remote engine starts or turning on the AC via a smartphone to over-the-air updates that add new functionality. Yet directly connecting cars to the Internet raises the prospect of hostile hacks that should worry manufacturers and regulators alike, a safety group argues.
Citing anonymous interviews with 20 auto and software engineers who work on connected cars, Los Angeles-based Consumer Watchdog released a study warning that the danger of fleetwide hacks of connected vehicles is increasing. To reduce the risk, the study recommends that automakers should install a 50-cent electronic "kill switch" to give drivers the option to cut the connection between the internet and safety-critical features (like the brakes and the engine).
“What these whistleblowers have done is, over the course of five months, shown us exactly why the new fleet of 2020 cars are extraordinarily dangerous, can be hacked and are potentially the biggest national security threat that exists today,” Consumer Watchdog President Jamie Court told reporters at a press conference on Wednesday. “Connecting safety-critical systems to the internet in a car is inherently dangerous, connecting the brakes, the engine.”
The problem stems from the infotainment system that provides music, navigation or restaurant tips being connected to both the Internet and a vehicle’s CAN bus, a decades-old technology that links the engine, brakes and other key components. Demonstrations by ‘white hat’ hackers in the U.S. and China have shown that Jeep and Tesla vehicles can be manipulated, and the concern is that could be done on a much larger scale by hostile elements including foreign governments, according to the report.
The issue is not an unfamiliar one to automakers, who for the past few years have collaborated to minimize cybersecurity risks. The Alliance of Automobile Manufacturers, the largest car industry group in the U.S., set up the Automotive Information Sharing and Analysis Center in 2015 specifically to promote and share best practices for auto, parts and cellular tech providers. The industry also works with the Department of Homeland Security’s Office of Infrastructure Protection and National Cybersecurity and Communications Integrations Center on the matter, as well as with the National Highway Traffic Safety Administration.
Still, state and federal officials aren’t acting quickly enough, which is why Consumer Watchdog issued its report, Court said. In his presentation, Court noted that Ford’s most recent annual report filed with the SEC references “cyber incidents” involving malicious software have already targeted it and suppliers. “We, our suppliers, and our dealers have been the target of these types of attacks in the past and such attacks are likely to occur in the future,” Ford said in the Risk Factors section of its 2018 10-K, without elaborating.
Already, all new vehicles sold by General Motors in the U.S. have cellular connectivity and those from Toyota and Ford will also be web-enabled from the 2020 model year, according to the report. Fiat-Chrysler targets connectivity for all 2022 models, while the bulk of those from the Renault-Nissan-Mitsubishi will have that capability in the same time period. Most major carmakers are following suit, while in Tesla’s case wireless connectivity has been a key element for the brand since its Model S came out in 2012.
“What we are presenting today isn’t just the possibility of a single hack or an errant hack. It is the danger of fleet-wide hack” in which a hostile person or group takes control of braking, acceleration or steering control, Court said. “Allowing consumers to physically disconnect their cars from the Internet and other wide-area networks should be a national security priority.”
From Los Angeles, the U.S. capital of cars and congestion, I try to make sense of technology-driven changes reshaping transportation, cities and how we get around. I've tracked global automakers, advanced vehicle tech and environmental policy for more than two decades, including 15 years at Bloomberg, and squeezed in stints in the financial and corporate worlds.