The latest buzzword in the automotive industry, “software-defined vehicle,” is nebulous to the point of meaninglessness, since every vehicle on the road depends on some kind of computer programming of systems from the touch screen to engine management, steering and brakes. The degree to which these systems are interconnected and connected to the Internet varies from car manufacturer to vehicle and from vehicle to vehicle.
The benefits of software-defined vehicles are many, including the ability to wirelessly receive updates to fix old problems or add new features, including extending battery life. With these benefits come digital security challenges. Computers can be hacked, systems can be compromised, and with our cars now connected to our homes and phones linked to our personal information, credit cards and banks, the entire network is at risk, experts say.
“This connectivity makes vehicles vulnerable to cyber-attacks on a wide range of interfaces such as cellular, vehicle-to-vehicle (V2V), Wi-Fi, GPS, Bluetooth, ultra-wideband, NFC, USB, OBDII or Power-Line diagnostic port. Communication (PLC) for vehicle charging.”
In 2015, two hackers and researchers managed to break into a Jeep Cherokee through old versions of its Uconnect infotainment system. In addition to seeing the actual mapped locations of these vehicles, Wired reporters Charlie Miller and Chris Valasek were able to take control of the vehicle’s engine, transmission, steering wheel and brakes as part of the experiment. Prior to the story, and before the two held a conference call about the vulnerability, Fiat Chrysler Automobiles (FCA), then the parent company of the Jeep brand, developed and installed an update for the issue.
Previously, both were able to disable the brakes, honk the horn, jerk the seat belt and control the steering wheel using a laptop in the back of the Toyota Prius and Ford Escape. These vulnerabilities have also been patched.
Recently, a group of independent security researchers found a vulnerability in Kia’s web portal that allowed them to assign control over Internet-connected functions. They created their own app and were able to scan the license plate of almost any Internet-connected Kia vehicle and track that car’s location, unlock the car, honk the horn, or start the ignition. Vulnerable models numbered in the millions.
The researchers alerted Kia and a patch was implemented, part of nearly a decade of vulnerabilities found in automakers from all over the world, from Nissan to Ferrari.
Hackers have also shown that in addition to attacking vehicles, they can access customer and employee records, physical vehicle sales records, and owner locations.
“Hackers could potentially affect a wide range of systems, exploiting vulnerabilities to compromise functionality, security or privacy. Telematics systems enable remote commands and remote diagnostics, location tracking or emergency services. If compromised, hackers could use the vehicle’s remote capabilities to reveal a sensitive location or personal information,” Caviglioli said.
She also said that a cyber attack could tamper with advanced driver assistance systems (ADAS) functions and potentially cause accidents. Compromised systems responsible for dynamic vehicle control, such as engine, braking or steering, can potentially lead to loss of control while driving. In addition, hackers could attack battery management systems, affecting the battery’s range or safety.
Compass Viewpoint is a thoughtful analysis and insight into this topic in an article provided by an experienced reporter in the automotive space.
Cars need software updates to stay safe
Like smartphones, today’s cars, trucks, vans, cars and SUVs require security updates to maintain their integrity. Software updates and patches are commonplace in connected cars, and many include bug fixes and the occasional added feature, such as a new app or the ability to extend your vehicle’s battery life. Most of these updates can take place within minutes while the vehicle is parked and not in use. Updating your vehicle’s software is a routine part of modern car life, much like changing spark plugs was in previous generations.
The National Highway Traffic Safety Administration (NHTSA) has created “non-binding and voluntary” guidelines for the automotive industry to improve motor vehicle cybersecurity. It focuses on both wireless and cable connections, as well as vehicle-to-vehicle (V2V) communication. In 2015, NHTSA created the Automotive Information Sharing and Analysis Center, Auto-ISAC, an industry environment emphasizing cybersecurity awareness and collaboration across the automotive industry.
V2V and vehicle-to-infrastructure connections are particularly dangerous because they are a two-way street, exposing both options to potential cyber attacks. Vulnerabilities in the vehicle or infrastructure can be exploited, leading to unauthorized access, data breaches, or manipulation of vehicle commands.
“Vehicles connected to the infrastructure are constantly exchanging data, which can include sensitive driver information such as location, driving habits and personally identifiable information. Ensuring the privacy of this data is critical, especially if it is stored or shared without adequate protection,” Caviglioli said.
This extremely sensitive personal and vehicle usage data is important to car manufacturers (who want to show they are protecting it) because, among other things, it is how they connect with their customers.
Ford said it uses the data to improve quality, minimize environmental impact and make its vehicles safer and more enjoyable to drive and own. It also offers customers the choice to share connected vehicle data with them.
It said owners can continue to use services that don’t rely on data they choose not to share.
Cars are just as vulnerable to cyber threats as your home computer or smartphone. They need to be protected in the same way to ensure safety, privacy and now more than ever the proper functioning of the vehicle and safety systems.
“Customers should regularly check and install software updates for their vehicle, as automakers often release patches that fix vulnerabilities. When using Wi-Fi or Bluetooth in the car, they should make sure they connect to secure networks and avoid using public Wi-Fi – Fi.” They should also create strong, unique passwords for any connected services such as navigation or entertainment apps associated with their vehicle,” Caviglioli said.
“However, if they suspect their vehicle has been compromised, they should contact their dealer or manufacturer to report the issue and seek advice.”