As more cars start to gain Internet connectivity, we need to have a serious discussion about automotive cybersecurity.
Earlier this Tuesday, researchers revealed an exploit that allowed them to disable the engine and braking in a Jeep Cherokee – all using a laptop and smartphone from the comfort of their living room. The hack also gave them control over steering while the car was in reverse, as well as the windshield wiper and washer functions. They could operate the climate control and radio too, though that’s more irritating than it is dangerous.
No physical access was required. The researchers only needed the IP address associated with the infotainment system. They knew this info beforehand, but hackers could pinpoint the IP of a specific target if they had several phones searching together.
In theory, any Fiat Chrysler vehicle equipped with the Uconnect system is vulnerable. The good news is that a fix has been published, which owners can download here. The bad news? The automaker didn’t see fit to issue a recall. It’s up to owners to get the update installed, either on their own or by request at their dealership.
Such inaction is reflective of a lax attitude towards cybersecurity in the auto industry, as seen in a United States Senate report published last year. 16 automakers responded to questions posed by Senator Ed Markey about their cybersecurity measures: BMW, Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen, and Volvo. Three more automakers had received the same set of questions, but did not provide a response: Aston Martin, Lamborghini, and Tesla.
Individual responses were not revealed, but five of these manufacturers said they don’t use third-party testing to verify system security, while four didn’t specify if that was the case. Half of the respondents didn’t reveal if they had systems to detect malicious commands, while two admitted they did not. Only two of the automakers said they had a system in place to slow down or stop a car that was found to be compromised by hackers.
But the problem isn’t limited to worst-case scenarios where a car loses critical functionality. Electronic devices that allow a thief to unlock and potentially drive away with your car are already in active use. They work by extending the range at which cars with keyless entry will search for the key fob, allowing them to be broken into if they are parked not too far from the keys (i.e. outside the owner’s home). If the key can detect how far away the car is, this can be avoided – but such technology is not yet widespread.
As a result of their report, the US Senate is now looking to introduce standards for automobiles that would mandate certain defenses against hackers. These standards include the separation of critical software from the rest of the vehicle’s network, systems to detect and respond to malicious commands, and third-party security testing.
The Senate report found that nearly 100 per cent of cars sold today have some form of wireless connectivity, so it’s pretty clear this problem isn’t going anywhere. Nobody will want to give up their Bluetooth and keyless entry for a threat that can feel so distant, nor should they have to. It’s time that automakers start taking this a lot more seriously.