WikiLeaks documents indicate that the CIA considered a “mission” against connected car technology, thereby underscoring auto industry concerns that the science behind the next generation of vehicles could lead to attacks from hackers.
There’s no question that effective cyber security is an essential part of the requirements for current connected cars and the eventual rollout of self-driving vehicles, considering the many possible vulnerabilities that could be exploited by hackers. For example, if a hacker attacks a fully autonomous vehicle with no steering wheel or brakes, the passenger would be left with no way to regain manual control of the car.
“You have a lot of car companies trying to design cars to be better suited to automation, which means they’re more attractive to hackers,” said auto consultant Roger Lanctot of Strategy Analytics.
Reuters reports that WikiLeaks documents show the CIA citing “vehicle systems” and a car operating system from QNX, owned by Blackberry Ltd., as “potential mission areas” for the CIA’s “Embedded Devices Branch” to consider. The QNX operating system, which is used by the majority of global automakers, provides “a comprehensive, multi-level, policy-driven security model … to mitigate attacks,” the company said in a statement to Reuters. However, considering the collection of software, hardware and network components that make up a connected car, “security is only as strong as its weakest link,” the company explained.
There have already been several instances where researchers were able to hack into vehicles’ systems. One of the better known cases occurred in 2015, when researchers used a wireless connection to turn off a Jeep Cherokee’s engine. This prompted the massive recall of 1.4 million vehicles by Fiat Chrysler Automobiles. Another example was in September of last year, when Chinese cyber security researchers were able to hack a Tesla Model S sedan, remotely tapping the brakes and opening the trunk. Subsequently, Tesla patched the bugs using an over-the-air fix.
If consumers are going to be able to trust connected cars and self-driving vehicles, they will have to believe that they’re safe from attack by hackers. If a car is seen as vulnerable, it “could be a big brand problem,” said Mark Wakefield, global co-head of the automotive practice at AlixPartners.
There is certainly a lot more work required in order to ensure that the public believes these vehicles are safe. For example, in a January survey conducted by the University of Michigan’s Transportation Research Institute, 33 percent of respondents said they were “extremely concerned” about the possibility that hacking fully autonomous cars could cause crashes.
Automakers are working to build walls between non-crucial infotainment systems and driving controls, so that any breach will be blocked before it could compromise essential functions like brakes.
Lanctot believes that the first step is tackling intrusion detection. At the same time, he explained that there are further complications about what to do when a breach is detected, as shutting off parts of a car could be unsafe. Lanctot said that the industry is “years away” from solving the cyber security problem, noting that the first generation of cars built after the Jeep hack that include some kind of detection capabilities won’t be seen until early 2018.
In January, U.S. lawmakers introduced a bill calling for cyber security standards for new cars. However, at this point, U.S. regulators have issued recommendations, not rules, on how automakers should shield their computer systems from hackers.