- Hackers prove they can access certain Chrysler Jeep vehicles.
- Dangers are not just limited to connected cars – all internet-enabled devices are a potential target.
- Manufacturers must treat cyber security as a strategic concern.
On the same day that Australia’s first driverless car demonstration was announced, another car story made much bigger headlines. A tale that raised major safety concerns even with a driver sat behind the wheel.
A pair of hackers in the US announced that they were able to take control of a Chrysler Jeep using an internet-connected laptop.
In a video demonstration published online, a journalist drives the car along a highway while the hackers, not in the car at the time, switch on the fan and windscreen wipers, turn the radio volume up and, most alarming of all, cut the engine. The driver, unable to accelerate, can only reset the controls by switching the car off and back on again. Later in the demonstration the hackers also adjust the speedometer and operate the door locks and steering.
The hackers said that hundreds of thousands of 2013-onward Chrysler models could be at risk because of a feature called Uconnect – the internet connected computer installed in the vehicle’s dashboard.
The problem in this instance was that Chrysler’s system was not installed with a firewall, meaning that hackers could gain access to input their own commands to remotely control the car.
This is not an isolated incident. Earlier this year a security vulnerability was revealed in BMW models featuring ConnectedDrive, an embedded system connecting the car to the internet. The flaw left 2.2 million vehicles open to the potential of being unlocked by remote hackers.
Although both the Chrysler and BMW vulnerabilities can be fixed with a software patch, there’s a much greater underlying issue. By connecting cars to the internet, they are open to being hacked. An estimated 220 million connected cars will be on the road by 2020. What safeguards are manufacturers putting in place to avert such attacks in the first place? PwC’s Global State of Information Security Survey revealed that despite rising risks, information security spending by automotive companies actually declined last year.
US Senators have proposed the Security and Privacy in Your Car Act mandating manufacturers to use “reasonable measures” to protect their vehicles from hacking. The proposed law also takes measures to increase consumer awareness around the collection and transmission of data. “Drivers shouldn’t have to choose between being connected and being protected,” said the senator behind the proposal, Edward Markey.
However, while legislation helps drive home the seriousness of the security issues (for the US at least), cars should not be the only focus.
Every internet connected device, from insulin pumps to baby monitors, is a potential target for hackers. While much of the security control rests with user behaviour, such as ensuring that strong passwords are set, there is an increasing onus on manufacturers to build security as a product feature.
Consumers are gaining a greater understanding of the dangers associated with internet security and how it can affect them personally, even in their homes and in their cars. This will increasingly guide purchasing decisions. At the same time, the number of connected devices is rapidly expanding: around 25 billion are anticipated by 2020.
As the internet of things grows (and legislation could follow), prescient manufacturers including automotive companies must treat security as a serious strategic concern. Chances are, they will eventually be put to the test.