The short answer is that modern cars are ripe for cyber mayhem. Cars have become smartphones on wheels — giant rolling cages of software code controlling brakes, steering and propulsion, not to mention radio, weather apps and air conditioning.
But some cars are more hack-bait than others.
The Wired hackers, Charlie Miller and Chris Valasek, targeted the 2014 Jeep Cherokee because they previously deemed it to be among the most hackable based on a survey of two dozen different models.
Other vehicles they deemed particularly vulnerable included Toyota Motor’s 2014 Infiniti Q50 and Toyota Prius, General Motors’ 2015 Cadillac Escalade, the 2014 Ford Fusion, the 2014 BMW X3 and i12 and the 2014 Range Rover Evoque.
Cars that are most susceptible to hacking attempts are among the newest vehicles on the road, typically including only cars that have Internet connectivity, mapping capability or infotainment systems. The study by Miller and Valasek and interviews with analysts suggest that the most troublesome vehicles are those with Internet systems embedded in Infotainment systems and connected to other networks on the car, such as those operating brakes and propulsion.
The “least hackable” vehicles they surveyed were the 2014 Dodge Viper, 2014 Audi A8 and 2014 Honda Accord.
In February, CBS’ 60 Minutes, demonstrated how a General Motors car could be hacked through its OnStar connectivity system. The test was done in conjunction with a researcher from the U.S. military’s Defense Advanced Research Projects Agency, or DARPA, which is trying to find ways to eliminate the threats.
“Everything is hackable,” said Thilo Koslowski, who heads the automotive practice group for Gartner. “But remember that the automotive industry invented the term firewall. Now they need to apply it to bits and bytes.”
Like personal computers, cars can’t be completely shielded from digital intrusion. One crucial step is to ensure that communication networks such as those responsible for brakes and acceleration cannot be accessed via the Internet.
“This is a violation of some very basic and known best practices,” Steve Manzuik, director of security research at Duo Security, whose investors include Google. “It is this practice that makes attacks like what happened with the Jeep example possible.”
The Wired hackers accessed their Jeep Cherokee remotely by penetrating its UConnect infotainment system and reprogramming the vehicle. That was alarming for industry watchers who had previously questioned whether hackers could infiltrate a vehicle’s systems without wired connections inside the cabin.
“It’s hard to do, but the fact that it’s possible is disconcerting,” said Matt Clemens, a security solutions architect at Arxan Technologies.
The average modern car has about 16 “clear attack points,” according to Frost & Sullivan. Those include routes that aren’t immediately obvious to the average driver — such as seemingly harmless tire-pressure monitoring systems.
The good news: hackers have not yet shown much interest in cars. There has never been a documented incident of hackers causing an accident on the roadways. For one thing, there’s little financial incentive to attack vehicles. By directing their energy into computers and mobile devices, hackers can steal financial information. Cars typically don’t store much personal data.
But sophisticated hackers simply looking to create mayhem could do some damage.
“It’s creeping closer to where you could say that could be a malicious hacker,” said Richard Wallace, director of transportation systems analysis for the Center for the Automotive Research.
The auto companies say they’re already investing heavily in R&D and sharing information with each other to improve vehicle cybersecurity.
GM, for example, hired a chief product cybersecurity officer, Jeff Massimilla, in 2014. Ford said it’s integrating cybersecurity principles into its design “from the outset” of the product development process. “We are not aware of any instance in which a Ford vehicle was infiltrated or compromised in the field,” Ford said.
A few weeks before the Wired report, carmakers representing 98% of vehicles on the road had already agreed to join a new consortium called Auto Information Sharing Advisory Center (ISAC), which will allow manufacturers to share information on cybersecurity measures without violating anti-trust laws.
“They’re staffing up with a lot of really good software engineers or they’re teaming with software companies that are already ahead of the game on this,” said Jon Allen, a Booz Allen Hamilton cyber expert and consultant on the ISAC project.
Still, some lawmakers in Washington are disgruntled over the industry’s cyber response. U.S. Sen. Edward Markey (D-Mass.) and U.S. Sen. Richard Blumenthal (D-Conn.) on Tuesday introduced long-in-the-making legislation that would require federal regulators to establish cybersecurity standards and ratings for the automakers.
That came after Markey released a report in February accusing the auto industry of “a clear lack of appropriate security measures to protect drivers against hackers.” who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”
What’s clear is that resilient cybersecurity technology is particularly vital as software engineers pack cars with code to handle automated driving systems. Analysts expect fully driverless cars to hit the roadways sometime within the next decade or two.