Automakers Keeping Mum Over Cyber Hacks

Automotive hacks are coming – or so the warnings claim at virtually every auto industry event in the world.

It is widely believed that cars must be secured from the ground up in order to prevent the worst from happening but what if some of our cars are already being hacked? What if the worst is happening?

“We are not told,” said Ami Dotan, CEO of Karamba Security, referring to the prospect that carmekers may have already been targeted. “They keep it internally for many reasons – insurance, liability, what have you. We know that they are attacked and this is why you don’t see the deployment and broadening of connectivity. They, kind of, tested the water and they have seen it’s wild out there.”

The degree of any unreported attacks remains a mystery but it starts with malicious threat actors attempting to compromise a non-safety-related ECU. This may include infotainment or telematics. From there the attacker might try to compromise a user-controlled portion of the vehicle, such as the steering wheel or brakes.

In these early stages, Dotan is convinced that the lack of connectivity has limited the number and potency of malicious hacks. While more cars continue to add connected features, there are very few (if any) that are on par with smartphones. “It’s not true that the cars are not attacked,” said Dotan. Which begs the question: should connectivity be delayed indefinitely? “No, not at all. I think it brings a lot of added value but the people who come from 100 years of history of car making find it very difficult to adapt. That’s why you see the partnerships that are going on between the best of enemies. Who would think that those companies would ever cooperate in advanced ventures?”

Dotan stressed the importance of all the features, both for safety and convenience, that are coming down the road. He said cars should no longer be “dumb” devices that lack the intelligence of our personal electronics. However, to ensure the hype is more than mere fantasy, be it connectivity, autonomy or any other advanced feature, automakers might need to change they way they do business. “If they keep doing things at the pace they are used to,” Dotan said of carmakers, “and applying cyber-security at the pace they think is right, we will not enjoy those services for quite a long time.”

Even then, automakers will have to deal with the fact that greater connectivity and autonomy will inevitably lead to more attack vectors for those who wish to exploit them. Case in point: Dotan said that something as simple as the TPMS could potentially be hacked when in close proximity to the car. When satellites, cellular, wifi and DSRC are factored in, the risks grow exponentially. “The spectrum is so wide,” Dotan warned. “Using the car as a weapon and ramming it into people on sidewalks. Or creating havoc and huge accidents and emergency forces cannot get close to the action. Or for terror attacks.”

Big targets

Long-term, commercial trucks could feel the brunt of potential cyber threats. “A hacker will try to do anything to assume control and show the ability to assume control,” Dotan explained. “There is a difference, though, that we have learned between the trucking business and the cars business.”

That difference involves the level of control, as well as the massive and very expensive load of supplies and merchandise being hauled in every truck. “The trucking business is much more aware of cyber-security hacks because they have ECUs that control lane keeping, which means having control of the steering wheel and long driving hours and fatigue and all of that. Basically, if you have an ECU that can govern a steering wheel, that means if I can reach it, as an approved person to do so and change code, then I have control of the truck.”

If a hack were to occur, it would endanger the life of the driver as well as others on the road. Hundreds of thousands of dollars in cargo would also be at risk of being stolen or destroyed. Thus, Dotan sees the trucking industry as being very aware, perhaps even more so than the passenger car market, of the financial ramifications of cyber attacks.

“I think for hackers it doesn’t matter: he will take the easiest target to assume control of either direction or speed,” said Dotan. “There is a whole sector that is very much aware of it and very much looking to prevent it.”

Latin American fleet managers have already approached cyber experts about securing their freight, which is commonly stolen. This problem stands to worsen if and when full-fledged cyber threats become possible. “They go for GPS spoofing,” Dotan said of the current attack strategy. “The truck disappears for 20 minutes and the driver is found somewhere.”