Automakers have gotten more serious about protecting motorists from car-related cyber threats, and not a moment too soon. Amid growing concern from Congress and the traveling public, a dozen major manufacturers established an Information and Sharing Analysis Center, which became fully operational in January. Already, the organization’s leaders say they’ve thwarted attacks by sharing threat intelligence and information on vulnerabilities.
The fledgling organization’s leaders discussed their efforts and the overall state of automotive cyber-security this week during the Tu-Automotive conference in suburban Detroit. Their remarks came only days after British security researchers announced they had exploited vulnerabilities in a Mitsubishi Outlander plug-in hybrid (via Wi-Fi connection to the head unit seen in the photo above) that allowed them to manipulate certain vehicle functions. Researchers from Pen Test Partners say they found minimal security measures on the vehicle and easily tapped into the on-board Wi-Fi to access features controlled by the infotainment screen. As the number of connected vehicles mushrooms across the globe, the possibility of similar security breaches grows.
The Bigger Worry: Ransomware
But automotive cyber threats will likely change in nature going forward, moving away from the research-based meddling that the industry has seen so far and toward ransomware attacks that have plagued other industries and offer malicious hackers the prospect of big paydays. To date, ransomware attacks largely have largely targeted hospital and healthcare facilities that rely on real-time information to provide critical care for patients. Hackers threaten to lock vital computer systems until a ransom is paid.
Automotive experts warn that hackers could conduct similar attacks on connected cars, disabling them in similar fashion until they get paid. Or worse.
“We’re lucky that no one has hacked an entire brand of cars and said, ‘I’m going to stop all your cars tomorrow at noon, unless you give me money,’” said Stefan Gudmundsson, director of strategy for cellular products at u-blox, a Swiss company that builds wireless semiconductors for car companies.
That’s the sort of broad-based hack that has worried Department of Defense officials since researchers at the University of California-San Diego and University of Washington first demonstrated that it was possible to breach the electronic systems in cars six years ago. Until recently, the auto industry seemed slow to address vulnerabilities. The remote hack of a Jeep Cherokee by researchers Charlie Miller and Chris Valasek disclosed last summer finally brought those worries—from both the industry and federal officials—to the forefront.
Cooperation to Confront the Threat
Industry leaders had already started work on establishing the ISAC by that point, but the Jeep hack accelerated their timeline and expanded the scope of their plan. Now, ISAC officials are adding suppliers to their group faster than anticipated. Delphi was the first to join earlier this year. Jon Allen, executive director of the ISAC, said four more suppliers are expected to join the organization within a week and that it’s possible another eight more companies will join by the end of June. One of them might be Google.
“Google is a major one, especially with their relationship with FCA,” Allen said. “We’re in discussions with Google.” A Google spokesperson declined comment.
Whether it’s a tech giant like Google or a Tier-3 supplier, involving any company outside the scope of a major automaker’s internal engineering corps is tricky business. A major hurdle in setting up the ISAC, which relies on companies self-reporting their vulnerabilities, was getting them used to the idea that they might have to share some proprietary information. Adding suppliers that might be doing work for multiple automakers complicates an already-delicate balance. Convincing automakers to share information in the first place required a “cultural shift,” Allen said.
Within the first few months, the automakers have already confronted public hacks of the Nissan Leaf and now the Mitsubishi Outlander. There have been other threats discovered that never made headlines, Allen said. Sorting through the fallout of those vulnerabilities has helped the automakers gain trust in one another.
“I think we come together when it matters most,” said Henry Bzeih, managing director of connected and mobility for Kia. “We’re competitors, obviously, but we’re pragmatic and we find ways to work together and have answers on the things that matter most—safety, V2V [vehicle-to-vehicle communications], SAE standards. Cyber security has been an amazing ride so far, and we’ve made amazing progress trusting each other.”
Powered by WPeMatico