The latest buzzword in the automotive industry, “software-defined vehicle,” is nebulous to the degree of being meaningless, as every vehicle on the road depends on some kind of computer programming for systems ranging from the touchscreen to the engine management, steering and brakes. The degree to which those systems are interconnected and connected to the internet varies from automaker to automaker and vehicle to vehicle.
The advantages of a software-defined vehicles are many, including the ability to receive updates wirelessly to fix old problems or add new features, including extending battery range. With these advantages come issues of digital security. Computers can be hacked, systems can be compromised, and because our cars are now connected to our homes and phones, which are connected to our personal data, credit cards and banks, the entire network is at risk, experts say.
“Modern vehicles are equipped with various connected technologies, including telematic and infotainment systems, connected gateways, vehicle access system or onboard charger control unit,” Christine Caviglioli, vice president of automotive at cybersecurity and data protection firm Thales told Newsweek.
“This connectivity makes vehicles susceptible to cyberattacks on a large diversity of interfaces such as cellular, vehicle-to-vehicle (V2V), Wi-Fi, GPS, Bluetooth, ultra-wideband, NFC, USB, OBDII diagnostic port or Power-Line Communication (PLC) for vehicle charging.”
JACK GUEZ/AFP via Getty Images
In 2015, two hackers and researchers were able to break into a Jeep Cherokee through an old versions of its Uconnect infotainment system. In addition to seeing the actual mapped locations of those vehicles, Wired reporters Charlie Miller and Chris Valasek were able to take control of the engine, transmission, steering wheel and brakes of the vehicle as part of an experiment. Before the story and before the two held a conference on the vulnerabilities, Fiat Chrysler Automobiles (FCA), then the parent company of the Jeep brand, developed and installed an update for the problem.
Previously the two were able to disable brakes, honk the horn, jerk the seat belt, and control the steering wheel using a laptop in the back of both a Toyota Prius and Ford Escape. Those vulnerabilities were also corrected.
More recently, a group of independent security researchers found a vulnerability in a Kia web portal that allowed them to reassign control of the internet-connected features. They built a custom app and were able to scan almost any internet-connected Kia vehicle’s license plate and track that car’s location, unlock the car, honk its horn, or start its ignition. The models vulnerable numbered in the millions.
The researchers alerted Kia, and a patch (fix) was made, part of almost of decade of vulnerabilities found in automakers from all reaches of the globe, from Nissan to Ferrari.
Hackers have also shown that they can get into customer and employee files, sales records of physical vehicles and locations of owners in addition to attacking vehicles.
Hyundai Motor America
“Hackers could potentially affect a wide range of systems, exploiting vulnerabilities to compromise functionality, safety, or privacy. Telematic systems allow remote commands and remote diagnostics, positioning tracking or emergency services. If compromised, hackers could use the remote capabilities of the vehicle and expose sensitive location or personal information,” said Caviglioli.
She also said that a cyberattack could manipulate advanced driver-assistance systems (ADAS) features, potentially causing accidents. Compromised systems in charge of the dynamic control of the vehicle such as engine, braking or steering can potentially lead to loss of control while driving. Additionally, hackers could attack battery management systems, affecting range or battery safety.
Cars Need Software Updates to Maintain Security
Like smartphones, today’s cars, trucks, vans, wagons and SUVs require security updates to maintain their integrity. Software updates and patches are commonplace in connected cars with many including bug fixes and, occasionally, added features like a new app or the ability to extend the range of your vehicle’s battery. Most of these updates can happen in a matter of minutes when a vehicle is parked and unused. Updating your vehicle’s software is a routine part of modern car life, much like changing spark plugs was for previous generations.
The National Highway Traffic Safety Administration (NHTSA) has created “non-binding and voluntary” guidance to the automotive industry for improving motor vehicle cybersecurity. It focuses on both wireless and wired connections, as well as vehicle-to-vehicle (V2V) communications. In 2015, the NHTSA formed the Automotive Information Sharing and Analysis Center, Auto-ISAC, an industry environment emphasizing cybersecurity awareness and collaboration across the automotive industry.
V2V and vehicle-to-infrastructure connections are especially perilous as they are a two-way street, which exposes both to potential cyberattacks. Vulnerabilities in either the vehicle or the infrastructure can be exploited, leading to unauthorized access, data breaches, or the manipulation of vehicle commands.
“Vehicles connected to infrastructure continually exchange data, which may include sensitive information about drivers, such as location, driving habits, and personal identifying information. Ensuring the privacy of this data is critical, especially if it is stored or shared without adequate protections,” said Caviglioli.
That extremely sensitive personal information and vehicle usage data is important to automakers (who want to show they are protecting it) as it is how they connect with their customers, among other things.
Ford said that it uses that data to improve quality, minimize environmental impact, and make its vehicles safer and more enjoyable to drive and own. It also offers customers a choice as to whether they wish to share connected vehicle data with them.
“Customers may turn vehicle connectivity off entirely (resulting in a disconnection from the cellular network) and may exercise granular settings that control sharing vehicle data (e.g., odometer, oil level), driving data (e.g., braking), and/or location data,” a Ford spokesperson told Newsweek.
It said that owners can continue to use services that do not rely on the data they choose not to share.
Automobiles are susceptible to cyber threats just like your home computer or smartphone. They need to be protected the same way to ensure safety, privacy, and more now than ever, the proper functioning of vehicle and safety systems.
“Customers should regularly check for and install software updates for their vehicle, as automakers often release patches to fix vulnerabilities. When using in-car Wi-Fi or Bluetooth, they should ensure they are connecting to secure networks and avoid using public Wi-Fi. They also should create strong, unique passwords for any connected services, such as navigation or entertainment apps linked to their vehicle,” Caviglioli said.
“Despite this, if they suspect their vehicle has been compromised, they should contact their dealer or manufacturer to report the issue and seek guidance.”