Car manufacturers need to step back and reconsider the digital security of their products following the most recent case of vehicle hacking in the US.
That’s according to Professor Kevin Curran, a senior member of the Institute of Electric and Electronics Engineers.
Speaking to Autocar, Professor Curran said car manufacturers appeared to be more concerned with beating the competition to market with new technology, rather than fully testing its security. "I have a feeling they are rushing out features, and every industry can be guilty of that," he said. "I’d say there’s a rush to market and security is almost an afterthought."
Citing a lack of regulation in the automotive arena over the introduction of connected technology, Professor Curran said car makers should be following the example of the airline industry, where there are far more stringent security checks. "On planes, we have to rely on the airline manufacturers knowing better and erring on the side of safety," he said. "Why can the same not be true of car manufacturers?
"I would urge manufacturers to think, and I would hope there would be a think tank or body which can oversee the security of these devices. We’ve never been in the position before where someone can cause so much destruction to a car from such a great distance."
Hackers take control of Jeep Cherokee
Professor Curran’s comments on digital security come just weeks after two hackers in the US were able to successfully gain access to and control a Jeep Cherokee driving along a public road from a distance of 10 miles away.
The experiment, conducted for Wired magazine, showed how a car could be wirelessly hacked and controlled without the hacker being in close proximity. In the experiment, hackers Charlie Miller and Chris Valasek used what’s been described as a flaw in Fiat Chrysler Automobiles' UConnect infotainment system to hack the vehicle.
Once the duo had access, they were able to activate the car’s windscreen wipers, alter its climate control settings, play different music through the infotainment system and - most worryingly - deactivate the accelerator while the car was travelling at motorway speeds. At lower speeds, the pair could also apply the brakes - or deactivate them - and kill the engine completely.
Miller and Valasek were also able to monitor vulnerable vehicles from a laptop - showing the location and speed of vehicles connected to the UConnect system. The system is vulnerable as, like many others, it uses a mobile data network connection to access connected services. Miller and Valasek’s hack lets them infiltrate the car’s infotainment system and then issue commands which are spread to other areas of the vehicle via the CAN bus network.
Speaking to Wired, Valasek said: “From an attacker’s perspective, it’s a super-nice vulnerability.
“If consumers don’t realise this is an issue, they should, and they should start complaining to car makers. This might be the kind of software bug most likely to kill someone.”
Both hackers have been sharing their data with FCA for the past nine months, notifying the firm of potential flaws in its system. Late last month FCA issued an official recall for the 1.4 million vehicles that were vulnerable. A spokesman has confirmed to Autocar that the recall does not affect any cars in the UK.
The company said: “The hack published in Wired magazine was conducted through embedded cellular connectivity (Connected Vehicle), a feature that is not available in vehicles sold outside of the US, since international markets are currently not offering the same connectivity feature as the US-market vehicles.
“Under no circumstances does FCA condone or believe it’s appropriate to disclose 'how to' information that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems.”
Previous car hacking successes
This isn’t the first time the Miller and Valasek have successfully hacked a vehicle. In 2013 they were able to take control of a Toyota Prius - although at the time the hack could only be achieved via a physical connection to the car. It’s taken another two years of research to conduct the hack wirelessly.
Miller and Valasek have previously published a paper in the US, identifying the systems and vehicles most susceptible to hacking. Of the many connected systems in modern cars, the duo said the keyless entry and tyre pressure monitoring systems (TPMS) now common to most vehicles would be significantly vulnerable to attack.
The survey also ranked 24 vehicles on the ease of which they could be hacked. Among the cars that were deemed ‘most hackable’ were the Jeep Cherokee and Infiniti Q50.
Although Miller and Valasek’s hack has become one of the most high-profile cases of car hacking, other cases have previously highlighted the vulnerability of connected systems. In 2014 a group of Chinese students were able to hack a Tesla Model S as part of a competition at the Syscan conference in Beijing.
A prize of $10,000 was on offer to anyone who could gain access to the Model S while it was locked, with the students managing to open the car’s doors and bonnet. While not officially endorsing the project, Tesla issued a statement saying: “We support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities.”
Swiss hacker Boris Danev has also been able to successfully hack vehicles, by utilising a flaw in the keyless entry systems used by many premium manufacturers. His hack, which works by amplifying the signal sent by a car’s key fob to be detected by a vehicle, allowed him to gain entry to and drive off in multiple cars from different manufacturers.
Danev’s method is a more high-tech version of the hack used by criminals to reprogram car keys here in the UK - something that has already prompted concern from many car makers.
Danev has developed a silicon chip that ends this vulnerability and is in discussions to incorporate the technology in several manufacturers' key fobs, but it’s not expected to be on sale until at least 2018.
New legislation to rate cars for digital security
Authorities in the US are in the process of drafting an automotive security bill that could involve introducing a digital security rating system for cars. As part of research into the bill, US senators asked 20 car makers to outline their digital security procedures.
Out of the 16 that responded, just seven said they worked with independent companies to identify and fix flaws in their systems, and only two have monitoring systems that actively search for potential attacks.
In the UK, where a number of early-stage studies are under way to create autonomous vehicles, a new code of practice issued by the Department for Transport has set out the rules for bringing driverless cars to fruition in this country.
As part of the code of practice, a section on ‘cyber security’ states: “Manufacturers providing vehicles, and other organisations supplying parts for testing will need to ensure that all prototype automated controllers and other vehicle systems have appropriate levels of security built into them to manage any risk of unauthorised access.”
In a statement, the Society of Motor Manufacturers and Traders (SMMT) said: "Vehicle manufacturers invest billions of pounds to keep vehicles as secure as possible, and work tirelessly to stay one step ahead of criminals. As a result, overall thefts in the UK have decreased by more than 75% over the past 10 years and continue to fall.
“The industry is working closely with the European Commission to ensure that motorists can experience the many benefits of connected technologies with minimal risk to vehicle security. The law must also provide severe penalties to deter criminals.”
Get the latest car news, reviews and galleries from Autocar direct to your inbox every week. Enter your email address below: