Is your car safe from a cyber attack?

In January 2022, 19-year-old David Colombo from Dinkelsbühl, Germany, announced via Twitter that he had been able to hack at least 25 Tesla vehicles in 13 countries and partially take them over.

“So, I now have full remote control of over 25 Teslas in 13 countries and there seems to be no way to find the owners and report it to them,” he tweeted.

Luckily, Colombo’s intentions were good. As the founder of cyber-security firm Colombo Technology, he used his actions simply to demonstrate the security flaw of the third-party software that Tesla was using, and to warn automakers the world over about the danger of malicious attacks.

Colombo isn’t alone in his mission. Cyber-security firm McAfee demonstrated how it could trick autonomous vehicles (AVs) into speeding over 50mph above the speed limit. And Ubiquitous System Security Lab, along with a series of partners, demonstrated how ‘poltergeist’ attacks – where attacks are made against the camera-based computer-vision systems found in AVs – can trick self-driving cars’ machine-learning systems into ignoring obstacles.

“If we don’t find vulnerabilities in the vehicles of tomorrow, threat actors will,” Colombo wrote in an article for Medium. “Malicious cyber-attacks on vehicles and/or the automotive ecosystem can have disastrous outcomes affecting not just the public image of automakers and OEMs, but also having a direct impact on human lives, infrastructure, and other aspects. A fleet hacked by a threat actor with malicious intent would be a worst-case scenario that should be avoided at all costs.”

The possibilities don’t bear thinking about. “The ultimate risk would be a fleet of commercial vehicles or buses could be taken over remotely and turned into missiles,” said Tu Le, founder of global innovation and management consultancy firm Sino Auto Insights. “Autonomous systems in military vehicles could be disabled while attacking or while under attack – and made useless. Warships could be taken over and used to attack or ambush unsuspecting entities. This is just to name a few.”

However, Mike Ramsey, a research director focused on automotive and smart mobility at analyst firm Gartner, argues that the chances of malicious attacks causing real danger to human lives are slim. But he does believe that ransomware attacks are a very real possibility. “You have to think about things in terms of incentives,” he says. “There’s not a lot of incentive to do something dangerous. However, threat actors can hack a network and shut down a large number of vehicles or make them non-functional and then demand a ransom. Hackers are very good at figuring out the economics of this. When automakers are faced with a decision of fixing $25m-worth of cars or paying a ransom of $1m, there’s not really much of a decision to be made.”

Elad Robb, head of cyber threat intelligence, AutoThreat at Upstream Security, agrees: “As more autonomous and connected vehicles interact with other vehicles, road signs over networks, mobile applications and charging infrastructure, it will be more lucrative for malicious actors to attack them,” he says. “Put simply, adversaries follow the money, so the greater the gain, the more likely they are to try and gain access.”

Fortunately, the attacks reported to date, while dangerous, have not carried the impact of their full potential – but they have not been trivial. “In April 2022, an EV charging station in the Isle of Wight was hacked to show inappropriate content, with some EV owners also experiencing high-​voltage fault codes, leaving them stranded,” Robb says. “Also, in February, a Japanese OEM was forced to shut down 14 manufacturing facilities as a result of a cyber attack.”

Meanwhile, Honda recently acknowledged that hackers had found a way to remotely start the engine of some of its models, and unlock doors by taking control of the car’s remote keyless entry system.

These aren’t isolated incidents. According to Upstream’s 2022 Global Automotive Cybersecurity Report, the number of cyber events on cars soared by a massive 225 per cent between 2019 and 2022.

Why such a dramatic uptick? According to Gartner’s Ramsey, there are multiple reasons. “Not only are there so many more vehicles on the road today, but the majority of these now have embedded connectivity,” he says. “Embedded connectivity means that they are sending and receiving information all the time – and that makes them more vulnerable to cyber attacks.”

In fact, the number of connected vehicles on our roads will increase by 134 per cent, from 330 million in 2018 to 775 million this year, according to Juniper Research. And, by 2025, a connected car will produce 25GB of data per hour and up to 500GB if fully autonomous.
“As the automotive industry transforms from individual, siloed vehicles into an interconnected smart mobility ecosystem, it expands the auto-industry ecosystem from vehicles into services,” explains Robb. “As vehicles become software-defined and more connected, threats and attacks escalate accordingly. New attack surfaces continuously emerge and are exposed by cyber-security experts.”

It appears that some automakers are paying attention. “Pioneering automotive players are definitely beginning to recognise that this is a unique use case where traditional IT cyber-security solutions may not fully meet the complex needs of protecting vehicles on the road, and have started implementing purpose-built solutions,” says Robb.

Audi, for example, is prioritising the issue. “Audi is taking technical, organisational and process-related measures to ensure automotive security,” says Christian Hartmann, a company spokesperson for electric mobility and automated driving. “We are doing this from the development stage, through encryption and authentication of data connections between cars, for example, right through to the backend. We are searching for weak points, and security experts and pen testers check the processes from the start of development to the start of production. We are constantly expanding the security mechanisms to develop new functions around data security, protecting the vehicle against hacking and privacy demands.”

Meanwhile, the approach taken by Waymo – the company formerly known as the Google self-driving car project – is to think about cyber security holistically. “At Waymo, we build an autonomous driver, not a car,” says Stacy Janes, head of cyber security at the company. “It can be applied to different vehicle types and use cases from passenger cars to delivery vans to big rig trucks. So when we think about cyber security, that includes the Waymo Driver, the vehicle platform it’s going to be applied to, how they interact and communicate with each other and the infrastructure that supports that.”

There are threats that are unique to each application of the Waymo Driver. “We use a risk-based approach to identify these threats, evaluate what the main risks are and prioritise what to focus on first, working our way down through the list,” Janes says. “Of course, this approach is not unique to the autonomous driving space and has been widely used across many other industries.”

Waymo uses layers of security to protect its autonomous driving system – especially its safety-critical functions like steering and braking, and the way it interacts with the base vehicle.

“We also consider the security of our wireless communication,” Janes adds. “The Waymo Driver does not rely on a constant connection to operate safely. While on the road, all communications between the operations centres and the vehicles are encrypted, including those between Waymo’s operations support staff and riders. The Waymo Driver can communicate with the operations centre to gather more information about road conditions, while the Waymo Driver maintains responsibility for the driving task at all times.”

That’s not all. Waymo also has diverse mechanisms for noticing anomalous behaviour and internal processes for analysing those occurrences. “Should Waymo become aware that someone has attempted to impair its vehicle’s security, it will trigger its company-wide incident response procedure, which involves impact assessment, containment, recovery and remediation,” Janes says.

However, Le at Sino Auto Insights believes that this approach is the exception rather than the rule. “Many traditional automotive manufacturers are still trying to learn the basics of software development,” he says. “So, generally speaking, they may be aware of the exposure that’s created by manufacturing and selling smart, electric vehicles to the public (because they have high-paid lawyers that will tell them), but they’re not savvy enough to know how to set up a bulletproof/hackproof infrastructure that’s always one step ahead of the bad guys.

“Software hasn’t been in their wheelhouse for the last hundred or so years, so most of them are still trying to understand the implications of having vulnerable firmware, control modules, operating systems or infotainment systems, for example,” he continues. “Also, remember that they may rely on partners for software add-ons, so there’s another vulnerability they’re likely relying on their partner to secure.”

It’s also widely accepted that regulations are lacking. In fact, at the moment, it appears that the move toward connected autonomous vehicles is outpacing the cyber-security measures and regulations that are in place.

“Despite regulatory progress, automotive-specific cyber-security standards have not been fully mandated worldwide,” says Robb. “With the proliferation of connectivity and software-based services, the attack surfaces on vehicles are rapidly expanding.”

However, change is on the horizon. New regulations are being implemented in Europe with the aim of protecting vehicles from both today’s known threats, and the unknown threats of the future.

“Since July 2022, a common set of cyber-security requirements is mandatory for all new vehicle types, and it will become mandatory for all new vehicles produced from July 2024,” explains Sonya Gospodinova, a spokesperson at the European Commission. “The new regulations on automated vehicles refer to the cyber-security requirements and add specific requirements when needed.” Moreover, she adds, the new NIS2 Directive on cyber security specifically includes motor vehicles among the sectors covered.

When the NIS2 directive enters into force, the manufacture of motor vehicles, trailers and semi-trailers, like other entities in sectors that are dependent on network and information systems and that provide key services to the EU economy and society, will be required to take cyber-security measures and report significant incidents with a view to increasing the overall level of cyber resilience throughout the internal market.

However, Gospodinova is quick to recognise that cyber security must be constantly implemented to be future-proof. “Manufacturers have to put in place a cyber-security management system covering the whole lifecycle of the vehicle, from design to decommissioning, including software updates,” she says. “A challenge faced by the industry today is to define a cyber-security approach that allows third parties to develop and offer services for the vehicle users.”

Robb shares this opinion. “In order to mitigate and thwart these attempts to gain access to sensitive and critical systems,” he says, “OEMs should focus on ensuring they have a holistic view of all potential access points – from companion apps to charging stations as well as vehicles already on the road. Having the tools in place to monitor and understand the live state of the vehicle, consumer or application that interacts with the vehicle to detect unusual or malicious activity is key so that OEMs can respond efficiently via a dedicated virtual security operations centre.”

This is where Le believes that the majority of automakers will continue to fall short. “I think generally many CAV manufacturers outsource their cyber security to ‘security’ partners or rely on/assume that their suppliers are taking the necessary steps,” he says. “As long as the supply contract says it’s not their responsibility and they bear none for any hacks, then I think that’s as far as they’ll take it.”

Ramsey agrees, adding that, while the new regulations will lead to some action, automakers won’t really make cyber security a priority until something serious happens. “At some point in the not-too-distant future, there’s going to be a major hacker event that will probably wake up the industry and start changing the talk around it,” he says. “I don’t know when that’s going to happen, of course, or the context of it, but it’s almost inevitable. As sad as it sounds, it probably needs to happen in order for the speed of implementation to quicken. If one automaker has a million cars that stop working all of a sudden, and the cost of that is astronomical, that is a pretty big motivator to change.”