Technological advances are opening cars up to a rising range of cyber security risks, and it will require a combined effort to keep the hackers at bay
A team of security researchers is trying to hack into the computer system of a gleaming new car. Sitting quietly in front of their computer screens, the experts at UK engineering consultancy HORIBA MIRA attack the car’s software defences with well-honed but generic strategies. They meet a wall of resistance and then move on to more sophisticated techniques in a bid to gain access to the car’s code.
“Typically the test consists of a background study to identify interesting areas, vulnerability analysis to identify weaknesses, and tests where we try to exploit those weaknesses,” explains Dr David Ward, HORIBA MIRA’s senior technical manager of functional safety. He is in the front line of the battle to protect the connected and automated car against cyber criminals. If a bank’s software systems are broken then money may be lost; in the automotive industry, it is real lives at risk.
A new model of car ownership
The arrival of the connected and automated car may promise exciting opportunities that range from personalised in-car infotainment to reduced accident rates, but it also presents significant new risks such as breaches of cybersecurity.
And the technological development is transforming the automotive market from a model based on car ownership and personal insurance towards mobility solutions and a new mix of insurance options. It is a challenge to all stakeholders, from regulator to car manufacturer, who across the world are working together in a variety of testing environments to ensure the journey is as smooth as possible.
Christine Kogut, principal and consulting actuary at Milliman, the actuarial firm, highlights how essential the co-operation will be: “The enhanced sensing and response time capabilities in self-driving cars will drive new demands on hardware and software performance and spread liability across dozens of suppliers for software, systems, and devices.”
The cyber test at HORIBA MIRA is an example of all the relevant stakeholders working together. The company is part of a consortium called UK CITE – Connected Intelligent Transport Environment – that is preparing 40 miles of public roads for real-life trials of connected vehicle technology by automotive, infrastructure and service companies. Active partners include Visteon Engineering Services Ltd, Jaguar Land Rover, Coventry City Council and University, Highways England Company Ltd, Huawei, Siemens, and Vodafone.
“UK CITE is an ideal opportunity for automotive manufacturers, technology and infrastructure providers and service operators, and infrastructure operators to collaborate to develop a real-world test bed for connected technology in a non-competitive environment,” says Claire Lewis, Visteon’s senior business development manager. “It will enable all partners to accelerate their learning on cyber security and safety whilst exploring the commercial opportunities of the connected vehicle area.”
New levels of automation require complex software that could be hacked and connectedness between vehicles and other IT systems gives hackers different levels of access if they can break security barriers.
This was demonstrated strikingly four years ago when the Pentagon’s Defense Advanced Research Projects Agency gave two specialists – Charlie Miller, 40, a security engineer at Twitter, and Chris Valasek, 31, director of security intelligence at IOActive – $80,000 to root out the weak points in the software.
A year later the pair were driving around in a Toyota Prius using a bashed-up MacBook plugged into the car’s computer to blast the horn, brake suddenly, cause sudden jerks in the steering wheel, spoof the GPS and confuse the speedometer.
Miller and Valasek had direct access only to a single car’s computer. Today, as cars rapidly become autonomous entertainment platforms relying on millions of lines of updatable code, entire fleets of connected cars will be at risk from remote hackers. The risks are obvious. As James Dodge, a senior Milliman consultant, asks: “How do you protect a car when it is always on?”
Over-the-air updates set to soar
The practice of updating a car’s software is due meanwhile to grow tenfold in the next six years, according to IHS Automotive. Last year about 4.6 million cars got over-the-air updates for telematics applications, the research company revealed, compared with an expected 43 million units by 2022.
“The telematics supply chain will see amazing growth and innovation through the end of the decade, as more vehicles debut new connected solutions that make use of embedded modules while at the same time enabling consumers to fully leverage their mobile devices,” said Anna Buettner, manager for infotainment at IHS Automotive.
For owners of the Tesla Model S the future is already here. They recently slid behind the wheel of their cars and noted they could do a range of new tricks, like automatically steer along the road, change lanes and adjust speed in response to surrounding traffic, scan for a space and parallel park. It’s risk free driving unless, of course, something goes wrong.
Cybersecurity is not the only risk with the connected and autonomous car. There is also the possibility that software can fail or that automated driving systems do not respond effectively to an unforeseen driving experience. A Tesla driver, for example, recently died when his car, which was in auto-pilot mode, drove into the side of a turning tractor trailer, raising challenging questions about responsibility and liability. As Dodge asks: “Who or what is to blame for the Tesla crash? Who bears the costs?” His colleague Kogut points out: “Many carmakers have pledged responsibility for accidents caused by malfunctions in the technology, and that is a harbinger of the shift in demand for product liability.”
These and many other issues will transform planning for the automotive industry over the next few years. Meanwhile, those security experts will be quietly hacking away, testing the latest defences on behalf of us all.
This content was produced by FT², the advertising department of the Financial Times, in collaboration with Milliman.