The cell phone message from hackers demanded a $20 ransom to unlock the vehicle doors, or the vehicle owner could pay a lot more money to have the vehicle towed to a dealership where the doors would be unlocked.
“This was just one example of the many things they were able to do,” Andreas Mai, Director of Smart Connected Vehicles at Cisco Systems, Inc., said about a team of hackers. “In our organization we have this team, based in Israel for the last three years, that has started to conduct threat penetration and vulnerability analysis for multiple manufacturers.”
Mai was a speaker on the "Connected Car and Cyber Security" panel in the AVL-sponsored session at Cobo Center in Detroit during the final day of SAE 2014 World Congress activities.
Panel moderator Michael Dudzik, Managing Partner at the private equity venture firm Lingua Franca Group, said cybersecurity needs to be one of the auto industry’s top priorities: “It’s very important in the sense of safety. And it’s very important in the sense of consumers’ confidence in the product.”
The vehicle’s digital communication ports that enable onboard diagnostics (OBD II) data transmissions, the WiFi hotspots for infotainment functions, as well as other communication protocols used by the vehicle are potential pathways for malware and other threats.
One way to view a modern-day vehicle is as a mobile IT platform, according to Glean DeVos, Vice President of Engineering, Delphi Electronics and Safety. “With the tremendous benefit that these systems bring in terms of safety, in terms of convenience, in terms of service, in terms of making the driving experience more enjoyable, they also open up new windows of vulnerability from the cybersecurity standpoint,” he said.
The need for cybersecurity is a sign of the times, said Andre Weimerskirch, Associate Research Scientist at the University of Michigan Transportation Research Institute (UMTRI) who specializes in applied data security: “If you look at the car of 50 years ago, [there are] no electronics, no wireless interfaces. There isn’t much to hack.”
While current vehicles are flush with subsystems that rely on software code and electronics, many new vehicles offer infotainment systems that can connect with brought-in smartphones and other portable devices.
“I strongly believe that we should always assume that external devices that are connected to the car—be that smartphones, OBD II devices from insurance companies, and so on—would never be secure," Weimerskirch said. "They are too complex. They use millions and millions of lines of code. The best assumption is to assume it can be hacked.”
Delphi’s DeVos said the connected vehicle is here to stay: The challenge is to "isolate those safety-critical feature sets—whether that’s e-steer, e-brake, or other systems—and make sure that they are protected."
Wide-scale cyberattacks could be especially destructive. Weimerskirch laid out the following scenario: A vehicle goes in for service. A test tool (a laptop connected via a cable) is hooked up to the car, and the vehicle passes malware onto the test tool. That malware is then spread to other vehicles that are connected to that same test tool.
Data exchanges related to vehicle-to-vehicle and vehicle-to-infrastructure communications are yet another segment in the cybersecurity chain.
Said Cisco’s Mai: “You will never be able to protect a vehicle just with vehicle-bound systems.” Rather, cybersecurity needs to be approached as an end-to-end architecture that begins at the chip level and extends through the entire vehicle network, including car-to-cloud communications. In short, cybersecurity needs to be all-encompassing.
Weimerskirch wants to see automakers approach the issue with eyes wide open. “The starting point for cybersecurity is really the entire company, from management and engineers on through the dealerships” covering all phases of product development and vehicle life cycle.
Said Mai: “It is scary to believe that it may take three to five years before we have reached a level of security that is sufficient.”