Car manufacturers should reconsider how quickly they bring new technology to market, according to the Institute of Electric and Electronics Engineers

Car manufacturers need to step back and reconsider the digital security of their products following the most recent case of vehicle hacking in the US. 

That’s according to Professor Kevin Curran, a senior member of the Institute of Electric and Electronics Engineers.

Speaking to Autocar, Professor Curran said car manufacturers appeared to be more concerned with beating the competition to market with new technology, rather than fully testing its security. "I have a feeling they are rushing out features, and every industry can be guilty of that," he said. "I’d say there’s a rush to market and security is almost an afterthought."

Citing a lack of regulation in the automotive arena over the introduction of connected technology, Professor Curran said car makers should be following the example of the airline industry, where there are far more stringent security checks. "On planes, we have to rely on the airline manufacturers knowing better and erring on the side of safety," he said. "Why can the same not be true of car manufacturers?

"I would urge manufacturers to think, and I would hope there would be a think tank or body which can oversee the security of these devices. We’ve never been in the position before where someone can cause so much destruction to a car from such a great distance."

Hackers take control of Jeep Cherokee

Professor Curran’s comments on digital security come just weeks after two hackers in the US were able to successfully gain access to and control a Jeep Cherokee driving along a public road from a distance of 10 miles away.

The experiment, conducted for Wired magazine, showed how a car could be wirelessly hacked and controlled without the hacker being in close proximity. In the experiment, hackers Charlie Miller and Chris Valasek used what’s been described as a flaw in Fiat Chrysler Automobiles' UConnect infotainment system to hack the vehicle.

Once the duo had access, they were able to activate the car’s windscreen wipers, alter its climate control settings, play different music through the infotainment system and - most worryingly - deactivate the accelerator while the car was travelling at motorway speeds. At lower speeds, the pair could also apply the brakes - or deactivate them - and kill the engine completely.

Miller and Valasek were also able to monitor vulnerable vehicles from a laptop - showing the location and speed of vehicles connected to the UConnect system. The system is vulnerable as, like many others, it uses a mobile data network connection to access connected services. Miller and Valasek’s hack lets them infiltrate the car’s infotainment system and then issue commands which are spread to other areas of the vehicle via the CAN bus network.

Speaking to Wired, Valasek said: “From an attacker’s perspective, it’s a super-nice vulnerability.

“If consumers don’t realise this is an issue, they should, and they should start complaining to car makers. This might be the kind of software bug most likely to kill someone.”

Both hackers have been sharing their data with FCA for the past nine months, notifying the firm of potential flaws in its system. Late last month FCA issued an official recall for the 1.4 million vehicles that were vulnerable. A spokesman has confirmed to Autocar that the recall does not affect any cars in the UK.

The company said: “The hack published in Wired magazine was conducted through embedded cellular connectivity (Connected Vehicle), a feature that is not available in vehicles sold outside of the US, since international markets are currently not offering the same connectivity feature as the US-market vehicles. 

“Under no circumstances does FCA condone or believe it’s appropriate to disclose 'how to' information that would potentially encourage, or help enable hackers to gain unauthorised and unlawful access to vehicle systems.”

Previous car hacking successes

This isn’t the first time the Miller and Valasek have successfully hacked a vehicle. In 2013 they were able to take control of a Toyota Prius - although at the time the hack could only be achieved via a physical connection to the car. It’s taken another two years of research to conduct the hack wirelessly.

Miller and Valasek have previously published a paper in the US, identifying the systems and vehicles most susceptible to hacking. Of the many connected systems in modern cars, the duo said the keyless entry and tyre pressure monitoring systems (TPMS) now common to most vehicles would be significantly vulnerable to attack.

The survey also ranked 24 vehicles on the ease of which they could be hacked. Among the cars that were deemed ‘most hackable’ were the  Jeep Cherokee and Infiniti Q50.

Although Miller and Valasek’s hack has become one of the most high-profile cases of car hacking, other cases have previously highlighted the vulnerability of connected systems. In 2014 a group of Chinese students were able to hack a Tesla Model S as part of a competition at the Syscan conference in Beijing.

A prize of $10,000 was on offer to anyone who could gain access to the Model S while it was locked, with the students managing to open the car’s doors and bonnet. While not officially endorsing the project, Tesla issued a statement saying: “We support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities.”

Swiss hacker Boris Danev has also been able to successfully hack vehicles, by utilising a flaw in the keyless entry systems used by many premium manufacturers. His hack, which works by amplifying the signal sent by a car’s key fob to be detected by a vehicle, allowed him to gain entry to and drive off in multiple cars from different manufacturers.

Danev’s method is a more high-tech version of the hack used by criminals to reprogram car keys here in the UK - something that has already prompted concern from many car makers.

Danev has developed a silicon chip that ends this vulnerability and is in discussions to incorporate the technology in several manufacturers' key fobs, but it’s not expected to be on sale until at least 2018.

New legislation to rate cars for digital security

Authorities in the US are in the process of drafting an automotive security bill that could involve introducing a digital security rating system for cars. As part of research into the bill, US senators asked 20 car makers to outline their digital security procedures.

Out of the 16 that responded, just seven said they worked with independent companies to identify and fix flaws in their systems, and only two have monitoring systems that actively search for potential attacks.

In the UK, where a number of early-stage studies are under way to create autonomous vehicles, a new code of practice issued by the Department for Transport has set out the rules for bringing driverless cars to fruition in this country.

As part of the code of practice, a section on ‘cyber security’ states: “Manufacturers providing vehicles, and other organisations supplying parts for testing will need to ensure that all prototype automated controllers and other vehicle systems have appropriate levels of security built into them to manage any risk of unauthorised access.” 

In a statement, the Society of Motor Manufacturers and Traders (SMMT) said: "Vehicle manufacturers invest billions of pounds to keep vehicles as secure as possible, and work tirelessly to stay one step ahead of criminals. As a result, overall thefts in the UK have decreased by more than 75% over the past 10 years and continue to fall.

“The industry is working closely with the European Commission to ensure that motorists can experience the many benefits of connected technologies with minimal risk to vehicle security. The law must also provide severe penalties to deter criminals.”

Get the latest car news, reviews and galleries from Autocar direct to your inbox every week. Enter your email address below:

Our Verdict

Jeep Cherokee

Can Italian tech put this once-rugged off-roader ahead of the pack?

Join the debate

Comments
8

4 August 2015
Unfortunately, we are probably going to have a lot more of these hacks before we start to see much improvement. The PC industry first, then the Smartphone industry learned the hard way that you have to engineer security into software products from the start.

Automotive and the Internet of Things industries are the next ones who will need to learn that they aren't immune, and the worry is that most smartphones don't travel at 70MPH and weigh 2 tonnes.

The safety critical parts of automotive systems are usually designed and implemented carefully (there are special standards for this), but we are increasingly connecting components that are considered 'not safety critical', such as Infotainment systems to the same network (CAN bus) in the car. This is roughly the equivalent of putting a top quality padlock on your front door and leaving the side window open.

Incidentally, if you drive along regularly using a Bluetooth OBD2 adaptor to connect to a Smartphone app like Torque, what you are really doing is opening your CAN Bus to anyone with a phone who can guess the PIN (which is 0000 or 1234 on almost all OBD2 adaptors). Not too much of an issue in a workshop, but while you are driving?

4 August 2015
Who wants this crap anyway?

4 August 2015
eseaton wrote:

Who wants this crap anyway?

We may not understand until a few years have elapsed. Electric windows and central locking were likely poo poo'd a few decades ago as needless extras that simply go wrong. The original Mini had the right idea, of course, with the sliding windows. Or the 2CV with one that flapped up. Cars were so small/narrow then, you could lock/unlock doors from the driver's seat. Maybe the same people who want internet enabled 'fridges need the tech? Which reminds me, I must investigate those better balance yoga classes so I can stand on one leg in order to open the rear hatch with one foot under the bumper, remembering to step smartly back to avoid the tailgate, while both my arms are occupied with the heavy shopping bags and it's raining.

5 August 2015
But the industry wants to sell it to you - more buttons = more money - making this a massive story which is being more or less ignored.

4 August 2015
I don't really understand this stuff, but an 'expert' speaking on BBC radio said vehicles could be hacked through DAB systems too? Professor Curran is dead right that motor manufacturers seem only concerned with being the first to market: Its all about being fashionable and getting sales, not only it seems at the expense of security, but also in many cases taking precedence over driver ergonomics and ease of use.

4 August 2015
Its not really a newsflash is it? If we car buyers become concerned and a rating system is developed then the car manufacturers will do something about their security. Now that just about every car achieves a 5 star crash rating from NCAP maybe they could start looking at other issues like this one. Who would buy a car with a 1 star security rating?

So how about this for a doomsday scenario. The terrorists run out of kids willing to blow themselves up. So they work out how to hack cars with driverless technology. They then fill these cars or vans with explosives, punch the address they want to bomb into the sat nav and hey presto a suicide bomber without the suicide. Thank you car industry.

Maybe one day we will go back to cars where the main features are 3 pedals, a gearshift, a steering wheel and god forbid a handbrake that you actually need to use muscle to apply. You cannot hack those.

4 August 2015
Ok, who prefers electronic hand breaks to traditional ones? And if so why?

5 August 2015
eseaton wrote:

Ok, who prefers electronic hand breaks to traditional ones? And if so why?

Count me in as one who prefers. Cabin looks neater. Ease of use. I've had a year's worth of it on a Golf. It can be set to be fully automatic all the time, which is handy and that is how I use it. Works well as a compliment to the DSG. Got used to it within first day or so, and it is now forgotten.

Add your comment

Log in or register to post comments

Find an Autocar car review

Driven this week

  • Kia Stonic
    First Drive
    18 October 2017
    Handsome entrant into the bulging small crossover market has a strong engine and agile handling, but isn’t as comfortable or complete as rivals
  • Hyundai Kona
    First Drive
    18 October 2017
    Hyundai's funky-looking Kona crossover with a peppy three-cylinder engine makes all the right noises for the car to be a success in a crowded segment
  • Citroën C3 Aircross
    First Drive
    17 October 2017
    The Citroen C3 Aircross has got funky looks and a charming interior, but it's another small SUV, and another dynamic miss. Numb steering is just one thing keeping it from class best
  • Skoda-Karoq 2.0 TDI 4x4
    First Drive
    16 October 2017
    Diesel version of Skoda’s junior SUV is unobtrusive and undemanding, but we’d still go for the silkier petrol version of the Karoq
  • Audi Q7 e-tron
    First Drive
    16 October 2017
    Expensive and flawed but this understated diesel-electric Audi Q7 has a lot to offer