Here’s How Hackers Can Target Cars, According to Security Experts

Our modern supercomputers on wheels are only getting more vulnerable.

You’re ready to head to work on a warm summer morning. But when you slip behind the wheel and press the car’s Start button, nothing happens. Nothing, that is, until a message pops up on the touchscreen monitor that tells you that your car has been hacked—and if you want to use it again you’ll have to pay an anonymous hacker.

So-called ransomware is becoming an increasingly common threat for both personal and corporate computer users, and it could soon become an unwelcome reality for motorists, as well. And it’s just one of the many cybersecurity threats facing the auto industry—and motorists around the world.

The automobile has become a “supercomputer on wheels,” according to Mark Rosekind, the head of the National Highway Traffic Safety Administration, and just like any other computer, that’s posing a tempting target for hackers, he said during a day-long cybersecurity conference in Detroit last Friday.

Rosekind isn’t the only one worried. Other speakers at the event warned of a variety of threats hackers could pose as they figure out how to gain access to the many electronic systems going into today’s cars:

  • As with home computers, some hackers will be looking for personal information, whether credit card numbers or a social security number that can be used to steal your identity
  • Other hackers might try to take control of your car, especially as autonomous vehicle technology begins coming to market. They could cause a crash, send you to the wrong destination, or even hijack your vehicle, perhaps taking a victim hostage
  • Hackers could shut down not just your vehicle but perhaps hundreds, even thousands of vehicles. If that happened on a highway, it would bring traffic to a halt

That’s an especially frightening scenario if you’re talking about hackers taking control of a major truck fleet, said Assistant U.S. Attorney General John Carlin, another speaker at the Detroit cybersecurity conference. That’s one of the biggest potential threats to its infrastructure America faces, he said, on a par with shutting down the electric grid.

But there are other serious concerns, according to Carlin. He said terrorists, in particular, may try to take remote control of a car or truck and use the vehicle as a deadly weapons—much as an ISIS disciple drove a truck into a crowd in Nice, France during Bastille Day earlier this month. That attack killed 84 people.

That possibility was made all the more real last year when two security experts hacked into a Jeep Cherokee, took remote control, and drove the vehicle into a ditch.

The transportation industry is on the “cusp” of a major crisis, said Carlin, stressing that “We can’t make the mistake of not designing in cybersecurity protection.”

Part of the challenge is that there are so many different types of hackers ready to target the automobile, said Josh Corman, founder of I Am the Cavalry, a grassroots organization working on cybersecurity issues. These range from 15-year-olds who hack for fun after school to professional criminals who hope to access personal or corporate data.

There are hacker collectives like Anonymous, which may act of political motives. And there are plenty of state-sponsored hackers, like those from Iran, China, and North Korea who have been linked to a variety of incidents involving personal, corporate, and government data thefts in recent years. And there are the terrorist groups, like ISIS, who have already shown an interest in using hacking as a means to their own ends.

In years past, the automobile was at the bottom of the list for cyber-criminals, but it’s moving up the ranks as it becomes more and more high-tech.

A decade ago, the most sophisticated vehicles had perhaps 10 million lines of software code, according to Mary Barra, the General Motors CEO who opened the Friday cybersecurity conference. But it’s not uncommon for vehicles to now have more than 100 million lines of code—more than an F-35 fighter jet. And when the first fully autonomous vehicles come to market, perhaps early in the coming decade, that number is expected to reach as much as 500 million lines.

Complicating matters is the fact that today’s cars are adding and increasing number of wireless access points that hackers can exploit. That includes satellite radio links, 4G LTE WiFi hotspots, even the remote tire pressure monitoring systems that are mandated by law. At the Detroit Auto Show last January, Toyota showed a prototype satellite system that could quickly download terabytes of data.

Automakers are taking a number of steps to improve cybersecurity. Earlier this month, Fiat Chrysler Automobiles signed up with Bugcrowd, a San Francisco collective that relies on a network of 32,000 “white hat” hackers. They can earn a “bug bounty” of up to $1,500 apiece for finding vulnerabilities in the maker’s technology. It’s worth the price; the Jeep Cherokee hack forced FCA to recall millions of vehicles to update their software.

Going forward, most manufacturers plan to enable their vehicles to download over-the-air updates to fix those vulnerabilities, much like you can continuously update the anti-viral software on your personal computer and smartphone.

But automakers can’t go it entirely alone, said Jeff Massimilla, the cybersecurity chief at General Motors. In an unusual step, GM has launched an industry-wide consortium known as ISAC, or the Information Sharing and Analysis Center, so automakers and suppliers can cooperatively address mobile cybersecurity.

Even then, Massimilla concedes that it will be impossible to ensure 100% cybersecurity. “No,” he said during the conference, “All systems fail.” But the industry has got to get to work now, he said, to minimize the risk.