The problems have been increasingly apparent for several years now. A report from the financial advisory firm Stout Risius Ross found that the percentage of vehicle recalls attributed to software problems tripled between 2011 and 2015.
Obviously people’s laptops, smartphones, bank accounts and increasingly their “smart” homes are also hackable. But the stakes are much higher in a moving vehicle. If your credit card gets compromised, you can get a different one. If your bank account is hacked, you could lose a lot of money. But if your car gets hacked, you could lose your life.
The auto industry is, 'dealing with the challenge of adding connectivity to systems that were never intended to be connected.'
Steve Grobman, CTO, Intel Security Group
That has been most famously demonstrated at the past two Black Hat conferences by Charlie Miller and Chris Valasek, hackers who now work for the ride-hailing service Uber. They showed that an attacker with physical access to a vehicle’s computer systems (in this case a 2014 Jeep Cherokee) can bypass Controller Area Network (CAN) protections and hijack functions including steering, acceleration and brakes.
Chrysler recalled 1.4 million vehicles after last year’s demonstration, and patched the flaw that allowed the two to hack the car remotely. This year, the two had to have a laptop plugged into the Jeep’s CAN through a port under the dashboard. But they were able to create much more dangerous mischief – turning the wheel or slamming on the brakes at any speed.
And they and other experts say it is only a matter of time before hackers will find ways to do that remotely.
As software management consultant Art Dahnert put it in a post on Dark Reading, "the age-old problem of software development failing to 'build security in' is leading to insecurity in automobiles today.”
So yes, Thune agrees that, “best practice initiatives are late. We have legacy technology mixed with modern technology being developed by companies that are just exploring this area of technology,” he said, “and all of that is a recipe for security gaps.”
But he and others say there is almost always a delay when a new technology is brought in to a well-established industry.
The auto industry is, “dealing with the challenge of adding connectivity to systems that were never intended to be connected,” said Steve Grobman, CTO for Intel Security Group.
Thuen agrees. “The emerging technologies have moved these auto companies from automobile manufacturers to Silicon Valley companies who also manufacture automobiles,” he said.
And there is evidence that the industries big players, which have always been notoriously secretive about both their plans and their problems, are concerned enough about their software vulnerabilities to share cyber threat information and solutions with one another.
Sign up for CIO Asia eNewsletters.