Why Car Companies Are Hiring Computer Security Experts

You may have heard the term ‘Internet of Things’ without really knowing what it is. It refers to the capability of ‘smart’ devices to communicate with one another. You can start the heating in your house on your way home from your phone; some cutting-edge fridges are able to order your groceries automatically by measuring how much food you have left and cleaning bots will keep your house spotless without you having to do anything.

Vehicles have been increasingly computerised and connected over the last decade, from parking sensors to detecting faults or managing various functionalities. In the 90s, an average car would have around one million lines of codes. Today, it has over 100 million lines - more than an F35 fighter jet- and it is forecast that it won’t be long before that number doubles.

While it undeniably made the roads safer, any connected device is vulnerable to hacking and vehicles are no different. So far, criminals have been unable to find back doors, but they have been actively developing ways to do so and this is the reason why the main players in the automobile industry have been setting up departments solely dedicated to cyber security in vehicles.

When one considers that there is a defect rate of 15 to 50 per thousand lines of code that can potentially be exploited, it is no surprise that they should take those vulnerabilities very seriously, and they have been reshaping their production processes to reflect the fact that they no longer are just manufacturers of physical objects, but also software companies that need to deliver computer systems robust enough to withstand attempts to hack them.

A first study by the Universities of Washington and California had demonstrated that a hacker connected to the internal network of a car could take control of all computer control systems. In 2011, they published a second study which concluded that computerised cars were also susceptible to remote cyber attacks via short-range and long-range internet routes including mechanical tools, CD players, Bluetooth and cellular radio. This study was a stark warning to car makers that they needed to step up their game and consider cyber security as important as physical safety.

This study wasn’t a theoretical paper thought up by academics, researchers had actually succeeded in hacking connected systems. In 2015, two ‘white hat’ hackers – i.e. hackers that aim to expose weaknesses rather than do harm - proved again that their conclusions were correct by taking control of a Jeep Cherokee through its entertainment system and disabling its transmission in the middle of a motorway. A year later, they demonstrated how they could hijack the driving wheel and brake system remotely to make the vehicle stop suddenly in high-speed traffic – the car ended up in a ditch.

Chrysler, the manufacturer, was unable to fix the issue and had to recall 1.4 million vehicles; the hackers responsible for this inconvenient state of affairs did well for themselves, as they were subsequently recruited by Uber and Didi, Uber’s Chinese competitor.

Other security researchers tested the Tesla Model S, a software-heavy vehicle, and were able to control a number of its functions from a laptop. A year later, Chinese researchers topped it up and showed that they could control its brakes from a distance of 18km. Unlike Chrysler, Tesla was able to apply a remote patch but it showed without any possible doubt that the more a car is connected, the greater the risk to its security.

BMW cars were also hacked in 2015, the attacker being able to unlock the car remotely. It transpired that the car maker hadn’t enabled encryption on its servers. This frustratingly basic mistake wasn’t hard to fix but it involved recalling 2.2 million cars to upgrade them.

Luckily, all these hacks were perpetrated by well-meaning individuals who only meant to highlight the need to strengthen cyber security in cars, but it was proof that a car can be controlled remotely, and used for sinister purposes in the wrong hands. Kidnapping high-profile individuals would only require taking control of their cars at an opportune moment; vehicles could also become weapons launched at high-speed in a crowd, or careened off a bridge to kill its occupants.

More innocently, wanting to hack a car’s systems may be an attempt at uploading a commercial App without your permission: the two hackers who exposed the weakness of the Jeep were approached by an App maker willing to buy their discovery to be able to do just that. It won’t endanger you, but who needs another marketing ploy to sell you something you don’t need when you are captive in your car?

The announcement by the Chief Executive of General Motors in the US that cybersecurity was the company’s top priority highlights how seriously car companies take this threat, as does the rush between Uber, Didi, Tesla and Apple to poach cyber experts and white hat hackers from one another as well as from cybersecurity firms and organisations. Some car manufacturers are even offering rewards to hackers who help them identify flaws in their systems.

In the US, a bill was introduced at the beginning of 2017 with a focus on automotive cybersecurity, and more specifically to bring the National Highway Traffic Safety Administration, the Federal Trade Commission, the National Institutes of Standards and Technology, the Department of Defense, car suppliers, academics and other experts to define cybersecurity standards for vehicles.

This bill, named the SPY Car Study Act, would have the participating groups identify which vehicle systems need to be isolated from a software security point of view, set up standards for firewalls and anomaly detection, develop tools for the prevention of malicious intrusions and best practices for storing data.

Looking for a car shipping company? We are the experts and have shipped thousands of cars across the world. You can get a quote online quickly, call us on 64 9 309 1163 or send us a message.