As transportation evolves from mechanical to digital, hackers are following the computers into cars.
Just about any new car can be hacked — some even driven by remote control — as automakers depend more on software and wireless connections. Vehicle vulnerability may only grow as cars become their own wireless hot spots with the advent of automated braking and steering systems, experts warn.
It’s already happening. This year, two cybersecurity researchers remotely put a Jeep Cherokee into a ditch by hacking the crossover’s UConnect radio. Jeep recalled 1.4 million vehicles in July to install a patch that plugged the digital security hole.
Other cybersecurity experts took control of a Tesla Model S by hacking the car’s entertainment system. Tesla developed a fix, which it transmitted to all Model S cars through an over-the-air software update.
A recent lack of basic encryption technology left BMW-built vehicles with a security flaw that could have allowed hackers to unlock the doors of up to 2.2 million Rolls-Royce, Mini and BMW vehicles. The German automaker said it fixed the problem in January.
“A lot of carmakers today have awoken to the reality that, as they develop more connected cars, they are inadvertently pushing security risks onto the market,” said Maryanna Saenko, senior analyst and autonomous systems expert at Lux Research.
That’s created “surprising” technical gaps that manufacturers should have caught, Saenko said.
Industry experts are divided over how much consumers should worry.
“Right now, it is really hard to do,” said Chris Valasek, one of the Jeep hackers and director of vehicle security research at IOActive, a computer security company. “It takes a lot of resources, money, and you have to be an expert. I am not concerned that someone will take over my car.”
Large-scale hacking of computers is ubiquitous because criminals can make money stealing personal and financial data, or by locking up devices, demanding ransom money or using them to spread spam, viruses and malware.
“That’s how malicious hacking occurs now,” Valasek said. “They access your financial information or they use your computer as a botnet.”
At least for now, there’s little profit in hacking a car, Valasek said.
That could change as cars become more robotic, especially if they gain the ability to make purchases or conduct transactions, he said.
For now, high-tech features such as forward collision alerts or tire air pressure monitoring are more likely to prevent a mishap than put the driver in harm’s way, Valasek said.
But there are threats, said John Bambenek, a senior threat analyst with Fidelis Cybersecurity.
In 2010, an angry worker fired by a Texas auto dealership hacked into an Internet service that disables the ignition in cars targeted for repossession and disabled the engines on 100 vehicles sold by his former employer.
“If you are going down the highway at 70 mph, and some disgruntled employee turns off your engine, that’s a danger,” Bambenek said.
Analysts say automakers have been slow to address a problem that has been evident for years.
“The encryption and password protection we use in financial matters has not yet made it into cars,” Saenko said.
Automakers and consumers need to think of vehicles as an extension of an individual’s personal network, she said.
“Your car should not be the weak point in your personal information,” Saenko said.
The problem starts with the way cars are designed, said Remy Glaisner, founder of Myria Research, a Boston research and advisory services firm that follows robotics. Automakers rely on third-party companies for on-board computers, and they don’t have enough internal expertise to evaluate their work.
The industry can no longer think of an embedded processor as just another part — like brake pads or an oil filter, he said.
Researchers presenting a paper at an advanced computing conference in Washington, D.C., last month demonstrated how a single auto part can create a risk.
The scientists, from universities in the Netherlands and England, said one of the most widely deployed electronic vehicle immobilizers — a feature that protects cars from theft — could be hacked. It uses radio waves to prevent a car from starting unless a linked transponder in the key fob is present. They eavesdropped on the radio signals.
The immobilizer is used in some Audi, Fiat, Honda, Volkswagen and Volvo models.
Audi spokesman Brad Stertz said it was a difficult task in which “manipulators must record at least two consecutive engine-starting operations with the original key, so it isn’t easily accomplished in the real world and uncommon.”
Most of its vehicles use locking systems that differ from the one the European researchers hacked, Stertz added.
Honda uses other immobilizers in its vehicles but continues to study the vulnerability, spokesman Chris Martin said.
Auto industry representatives are increasingly factoring cybersecurity into automotive design.
The car companies are creating a center that will serve as a central hub for intelligence and analysis, providing timely sharing of cyberthreat information and potential vulnerabilities, said Robert Strassburger, vice president for vehicle safety at the Alliance of Automobile Manufacturers, a trade group that represents the world’s largest car companies.
It should be up and running later this year. The location has not been announced.
The center will expand to include auto suppliers and other industry partners, such as telecommunications providers and technology companies, he said.
“Carmakers don’t want to sell you products that put you at risk,” Saenko said. “It is a real liability for them.”
Automakers also have other industries to use as models for security.
“We all fly in aircraft that are almost completely autonomous and could potentially take off and land by themselves,” Glaisner said. “But when you are on a plane, you don’t worry that the system is going to be hacked and the plane will crash.”