Here’s a lot of fear-mongering around the issue of automotive cybersecurity, following some high-profile instances of hackers gaining control of a car’s steering and acceleration.
But a growing number of experts say creating havoc on the roads is not the primary threat from car hackers. They may be after something much more mundane: your money.
“Hacking into a car and controlling it without visuals would be a psychotic thing to do; few people would want to do that,” said Craig Smith, a security research director at Rapid7, a cybersecurity company. “The ones that would invest a lot of time and energy are usually after data.”
Primarily financial data.
Criminal hacking attempts are a certainty in the future connected-car environment, said Di Ma, a professor at the University of Michigan Transportation Research Institute. However, since most cases of vehicle hacks so far have been by researchers, it’s difficult to predict the manner and severity of real-world criminal hacks.
Security experts have an idea of what attracts hackers, based on what they can surmise from hackers’ current capabilities and the kinds of threats other connected industries have dealt with. Only a minority of criminals would be motivated by physical attacks — money will be a much stronger motivator, said Andre Weimerskirch, vice president of cybersecurity at Lear Corp.
“Attackers will try to find exploits that provide a financial incentive, and it seems that safety-critical attacks don’t provide any obvious monetary return,” Weimerskirch wrote in an email to Automotive News.
Here’s what hackers could do for money, according to Weimerskirch:
• Remotely unlock a vehicle and steal it.
• Charge drivers ransom in exchange for regaining control of their car.
• Crack into cellphones connected via USB ports and steal credit card information, or use location data and apps to break into the driver’s home.
Vehicle connectivity also can help hackers locate police cars or listen to conversations via Bluetooth microphone, Smith said.
“Conversations in the back of a limo can hold a lot of value,” he wrote. “That’s much more interesting for an attacker.”
Many cars on the road today have the ability to wirelessly communicate both internally between vehicle components and externally with other devices such as cellphones and laptops. In 2020, IHS Automotive estimates, 55 percent of new vehicles sold globally will be connected, and about half of cars on the road will have some level of connectivity.
Connectivity makes cars vulnerable to outside hacks. Though the number of connected vehicles has grown quickly, only about 40 percent of automakers have a dedicated cybersecurity unit, according to a survey conducted by McKinsey & Co., and less than half of automakers said their cybersecurity team was well-prepared to handle hacking threats. Nearly 85 percent rated their exposure risk to cybersecurity threats at medium to high.
To defend against attacks, automakers need to constantly monitor vehicles for software bugs and potential weaknesses and be able to “triage” issues as they appear via processes such as over-the-air updates, Smith said. Open communication within the industry also can help automakers identify potential vulnerabilities before they are exploited by a hacker.
“Vehicles are now mainly software,” he said. But it will be impossible to prevent every problem, he said. “Even if you do everything right, something could have a bug in it somewhere down the road.”