We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Cars flying off cliffs. Panicked drivers unable to stop their vehicles as they speed through red lights. It’s the stuff of movie fantasies, a Hollywood notion of hacking the software of modern automobiles.
But while cars careening out of control make for good box office, the reality of hackers breaking into cars and automakers’ networks is much more mundane and more of a real threat than anything Hollywood has depicted.
Hacked cars IRL
Earlier this year, for example, a security researcher in Germany managed to get full remote access to more than 25 Tesla electric vehicles around the world. A security flaw in the web dashboard of the EVs left them wide open to attacks. (The researcher warned Tesla, and the software has since been patched.)
Worse, in 2020, a ransomware attack against Honda forced the automaker to temporarily halt production on some plants in Europe and Japan. It’s more likely that this attack came through Honda’s IT infrastructure rather than its connected cars, but Honda never disclosed which road was taken. Ultimately, it doesn’t matter, as both are now inextricably connected.
In both cases, the danger wasn’t turning off headlights or disabling the brakes. The real target was getting access to all the data that cars and automakers now collect.
Automakers put a premium on safety and have spent decades trying to reduce accidents. They’ve also gotten better at physically separating a vehicle’s internet connectivity from the driving of a car. But the likelihood of Hollywood scenarios where consumer vehicles are turned into remote-controlled cars is low and distracts from security risks nearly all consumers with connected cars face: harvesting their data.
Hackers want your data, not your life
From location information, to credit card data in connected apps, to bank account balances, cars are now a rolling repository of critical digital information. With Amazon’s Alexa, Google’s Assistant and Apple’s Siri ready to shop online, make calls and disable home security systems from the driver’s seat, the possibilities are nearly endless. That’s where the money is and that’s where the vulnerabilities are.
And it’s not just EVs with cutting-edge technology that are connected to the web. According to an Otonomo survey, approximately 41% of all cars sold in 2020 were connected cars. As it happens, one of the first publicized car hack attacks by researchers was way back in 2015 on a Jeep; tens of thousands of vehicles had to be patched and updated.
While hackers steal credit card information every day, connected cars represent a smorgasbord of attack vectors. An automaker may keep its own systems locked down and its security protocols up to date, but the same cannot usually be said of the 200 or more suppliers that might be involved in delivering parts and materials for a single car.
Each of these suppliers and partners represent a potential attack point that can access an automaker’s systems. Add to this all the software connections, such as the third-party app that enabled the Tesla hacker, and the potential vulnerabilities multiply exponentially. Controlling your supply chain is hard, and that becomes even more difficult when your suppliers supply software.
Ransomware attacks are currently the main hacking threat companies face. According to a Sophos survey, last year 37% of companies polled said they had been hit with a ransomware attack. Indeed, last year, the Toll Group, a global logistics and transportation company responsible for delivering parts all over the world, including auto components, was hit by ransomware not once, but twice, forcing them to shutter IT systems affecting some 40,000 employees and customers in 50 countries.
Which reinforces the true goal of the vast majority of hackers: not pushing cars off cliffs, but accessing the data in cars and networks, which are now rolling computers. Hackers can track the location of anyone — essentially using cars as a new form of espionage or fodder for ransomware.
A back-to-the-basics solution
Protecting against such hacks means going back to the basics. Automakers must require and verify that every company in the supply chain perform regular and complete security backups. Similarly, companies large and small must continually perform updates and install all software patches, from server software to web apps. Two-factor authentication, password managers and training to identify phishing scams are also essential tools to protect automakers from breaches.
These safety measures have been common sense for online businesses for years. Now it should be common sense when it comes to cars, too.
Rick Van Galen is a security engineer at 1Password and a former ethical hacker.