The revelation through Wikileaks that the CIA has explored hacking vehicle computer control systems should concern consumers, particularly as more and more cars and trucks roll off assembly lines with autonomous features.
"I think it's a legitimate concern considering all of the computers being added to cars," said Kit Walsh, a staff attorney with the privacy group Electronic Frontier Foundation (EFF). "There's no reason the CIA or other intelligence agencies or bad actors couldn't use those vulnerabilities to hurt people.
"The risk is greater if you're trusting a self-driving vehicle," Walsh said.
Creative Commons Lic.
WikiLeaks this week released more than 8,700 documents it claimed came from the CIA's Center for Cyber Intelligence; some of the leaks indicated the intelligence agency had looked at exploiting security vulnerabilities in smartphones, smart TVs and vehicle computer systems.
"As of October 2014, the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks," the Wikileaks post stated. "The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations."
WikiLeaks also linked to meeting notes from 2014 listing "potential mission areas" for the CIA's Embedded Devices Branch. The notes included references to "Vehicle Systems" and "QNX," which is Blackberry's automotive software platform for telematics and in-vehicle infotainment (IVI) systems.
Increasingly, automakers have been adopting QNX. In 2016, for example, Ford announced it was dropping Microsoft as the platform for its SYNC infotainment system and adopting QNX instead. Ford's new SYNC 3, using QNX, was rolled out in new vehicles last summer.
Automakers have also been enabling over-the-air software updates for vehicles that could allow malicious code to be uploaded to on-board computer systems.
The government's role is to protect Americans
The role of the U.S. government is to explore security vulnerabilities in order to make product manufacturers aware of potential hazards, not exploit them, Walsh said.
In 2014, the Obama Administration assured Americans that a policy called the Vulnerability Equities Process (VEP) would prevent federal agencies from withholding "major" security vulnerabilities from the companies affected by them -- particularly ones that could cause consumers harm. Any security holes that were exploited by security agencies are only supposed to be used in national defense.
The BMW i3 autonomous car co-developed by BMW, Intel and Mobileye.
"The agencies are supposed to reveal vulnerabilities so companies can fix them and keep Americans safe. This is an example of a huge agency not following those rules and leaving people exposed to vulnerabilities so they can exploit them," Walsh said. "We've seen this before from the U.S. government."
Sign up for CIO Asia eNewsletters.