Some people think of their car as a personal sanctuary where they can find some privacy. Yet, one of the biggest themes in the auto industry is connectivity. In the US, GM, Toyota, and Ford, sell only internet-connected cars and this trend will continue. However, always-on connectivity leaves them open to cyberattack and there could be more than privacy at stake.
Just another type of device
According to the Internet of Things (IoT), cars today are just another type of device. They are just as vulnerable as any other internet-connected device, like phones or computers.
Carmakers already know how to make safe cars. But until recently, they haven’t had to fully address cybersecurity. Each car used to be in a world of its own. Now they build cars that can talk to each other and to traffic lights, to manufacturers and various authorities.
Connectivity requires more complex computer code. Current vehicles have 100 million lines of code, which is forecast to triple in 10 years. Even one bug could cause a catastrophic accident on the roads or open the vehicle to hackers. Passenger aircraft have less code, at 15 million lines, to limit the number of possible bugs.
Cyber security is a process of closing hundreds of doors, because any door can let a hacker into the system.
When a driver connects their phone through a USB port, it provides a potential cyberattack point for phone and car data. Over the air (OTA) software updates mean people don’t have to visit a dealership every time there is a security update. While this mode is acceptable for phones and home PCs, it is dangerous for safety-critical systems, such as cars. It potentially makes the car insecure, even while being updated to keep it secure.
In 2015, hackers showed how they could take over the entertainment system of a Jeep Cherokee to disable brakes and steering while the vehicle was on the road. The Jeep hackers showed connectivity is more than a threat to privacy – it is a potential threat to life.
No guardian against cyberattack
Why would anyone want to cyberattack vehicles? According to criminal justice theory, they need to be motivated, have a suitable target – and no guardian to stop them.
Researchers at Michigan State University made the disturbing finding that nobody is actually responsible for the central computer system in any vehicle. They said carmakers must accept responsibility as guardians of that system. Ultimately, so must software vendors, dealerships and anyone else involved in putting and keeping that vehicle on the road.
Guardians may ultimately make it easier for customers to take responsibility for protecting their own vehicles and themselves. But this could create a tricky grey area where it is not quite clear who is responsible for any breach.
Insurers and cybersecurity
Cybersecurity in government and business is already a dominant concern. Suncorp expects cybersecurity to become its main underwriting activity in motor insurance, because of the software in a vehicle. However, cyberrisk is difficult to model because it is a “moving target” and new hackers and threats keep emerging.
Continued adoption of connected cars could even drive up insurance premiums because of growing cyberrisk.
Consumer Watchdog (US) says the military and aviation industries have minimised the threat of cyberattack by disconnecting safety critical systems from the Internet. Yet, connected cars currently have exactly this vulnerability. CW suggests it should be mandatory for carmakers to install “kill switches” in every vehicle so drivers can disconnect their cars from the internet.