The biggest threat to cars used to be break-ins. Police still remind people to lock their cars and not leave their keys in the ignition.
But as vehicle technology becomes more sophisticated, car makers and owners are facing another obstacle, one that used to be consigned primarily to the likes of computers and phones: Hacking.
Hacking is a problem
On Oct. 24, the National Highway Traffic Safety Administration issued new guidelines for automakers on how to improve hacking defenses in their vehicles.
“Cybersecurity is a safety issue, and a top priority at the department,” Transportation Secretary Anthony Foxx said. “Our intention with today’s guidance is to provide best practices to help protect against breaches and other security failures that can put motor vehicle safety at risk.”
Auto cybersecurity company Argus says that as more cars become “connected,” meaning they have access to the Internet, more are at risk for becoming targets in a cyberattack. The company estimates that by 2020, just about every car on the road will be connected in some way.
“Hackers may be able to send commands to the vehicle from a remote location in order to … steal private and corporate data, track individual vehicles or entire fleets and hijack non-safety and safety-critical functions — imagine losing the ability to steer or brake while speeding down a highway!” the company’s website reads.
Personal vehicles are not the only ones at risk. The Federal Trade Commission released a statement in August warning car renters to be careful when entering personal information in a rental car, saying that that information can fall into unwanted hands unless users take steps to prevent it.
“If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages,” FTC attorney Lisa Weintraub Schifferle wrote. “Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers.”
Taking steps to fix it
In July 2015, the NHTSA recalled nearly 1.5 million vehicles due to security flaws that it determined could put car owners at risk. Around the same time, the Automotive Information Sharing and Analysis Center, or Auto ISAC, was created to help alleviate the problem.
NHTSA’s new guidelines suggest using a multi-layered approach to battling hacks, which include faster detection of possible hijacking, faster recovery methods when an attack does happen and using Auto ISAC to rapidly spread information and lessons learned from attacks.
“In the constantly changing environment of technology and cybersecurity, no single or static approach is sufficient,” said NHTSA Administrator Dr. Mark Rosekind. “Everyone involved must keep moving, adapting, and improving to stay ahead of the bad guys.”
In July, Auto ISAC issued its own list of best practices for car manufacturers. However, it cautioned that the list was not mandatory, and that each company was responsible for developing its own unique brand of cybersecurity. This differentiation, some fear, could make some cars more hackable than others.
In 2014, hackers Charlie Miller and Chris Valasek showed their list of the most hackable cars at the Black Hat security conference in Las Vegas. Among those named the most at risk for hacking were the 2014 Jeep Cherokee, the 2014 Toyota Prius and the 2014 Ford Fusion.
However, Wired reports that Miller and Valasek did include a caveat that their findings revealed potential weaknesses more than provable ones.
A real risk?
As fears about car-hacking become more mainstream, many have been quick to discount the claims. David Pogue wrote a critical piece for Scientific American pointing out that the Jeep Cherokee hacked by Miller and Valasek belonged to them and that it took them more than a year to figure out how to compromise it.
“Here’s the simple truth. No hacker has ever taken remote control of a stranger’s car. Not once. It’s extraordinarily difficult to do. It takes teams working full-time to find a way to do it,” Pogue wrote.
However, Pogue conceded that the carmakers whose vehicles were deemed at risk were quick to fix the vulnerabilities, suggesting that “research hacking” may help make cars safer in the long run.
Norton, one of the most prevalent security companies in the United States, published an article that claims car-hacking has not yet reached the point where it is a significant concern for the average car owner.
“The potential for car hacking is real, although there may not be a financial incentive for hackers to focus on autos just yet,” the article read.
What you can do
For those of you out there driving a late ’90s clunker, you may be safe. But for the rest of us, experts say it’s not a bad idea to research your car and its connectivity. Norton suggests becoming familiar with your car’s wireless system and finding out if it can be controlled remotely, in addition to making sure any aftermarket devices you install aren’t vulnerable to hacking.
Keeping up to date on vehicle recalls and updates is also an important step. The NHTSA has a website where you can enter your vehicle identification number and see if your car is eligible for security updates.
While car hacking may still be in its infancy, the risk is likely to continue to grow as cars become smarter. Unlocked cars is still the most common — and easily remedied — of car troubles, but it may not be long before thieves turn their attention to our ever-connected vehicles.
