When the New York International Auto Show kicks off on March 30, the world’s leading manufacturers will showcase a wide range of new high-tech and futuristic vehicles.
But there is a downside to all of the ‘smart’ and ‘connected’ technology that is finding its way into today’s automobiles. While the innovation offers new features and conveniences for consumers, it also makes vehicles more vulnerable to hackers.
That is a problem which the auto industry is not fully prepared for and it probably never will be.
As cars are increasingly computerized, they are becoming more reliant on software and firmware than ever before. And anyone who’s ever owned a PC should know that there is no such thing as 100 percent secure software.
Just consider how often computer patches are rolled out. Every software product has some type of inherent vulnerabilities, and even well-designed software still has features and weaknesses which hackers can learn to exploit. As the auto industry turns our cars into computers on wheels and then gives them connectivity via cellular signals, WiFi or Bluetooth, it is enabling new attacks on these systems by malware and remote hackers.
Automakers are trying to address these new threats, but there is no way to prevent them completely.
A “disco-ball” mirror covered Electric Drive Smart Car is seen on display at the New York International Auto Show in New York City April 20, 2011. REUTERS/Mike Segar
A hacked Jeep Cherokee
Adding to the risk, these new vehicle features are managed by technology which has significant underlying vulnerabilities.
The CAN bus (controller area network) is essentially the hub for microcontrollers and devices inside the car. This technology dates back to the early 1980s. The ECUs (electronic control units), which are the embedded devices inside the car controlling specific functions, like the engine, suspension, brakes, transmission, speed control, etc., also contain many design weaknesses which can be exploited by a hacker.
Security updates and patches are common in the software world. But it is one thing to issue a patch for a vulnerability in a PC and quite another when it is a software glitch in a car that could allow remote access to the transmission.
In 2015, security researchers demonstrated a Hollywood-style cyber attack on a Jeep Cherokee as it drove down a St. Louis highway. The hackers were able to gain remote access from several miles away and control key functions of the car like brakes, steering, and transmission. This is an extreme attack and probably not very likely to occur in the real world — at least for now. But it doesn’t mean that less sensational threats will be any less worrisome.
A smart Jeep being hacker. Photo: Screenshot/Wired.
The problem with patching cars
Malware and weaponized exploits are a constant issue for every software and firmware company in existence. There is no reason why we won’t see them in high numbers for vehicle-related systems as well.
The difference, however, is that a vehicle is a critical system — interfering with its functionality could mean injury, or even death, for the victim. That means every incident will require a diligent response from the car maker, and government intervention in certain cases is extremely likely.
To make matters worse, getting a security patch out to the affected vehicles is not at all easy. At a minimum, for now, drivers will have to install the updates through a USB stick inserted into a dashboard port. In other cases, they may have to physically bring in the smart car to the dealer.
Both of those are an imposition on the consumer, which means two things: First, patches will not be implemented as often as they should be, leaving drivers at risk and the automaker liable; Second, every software fix will annoy the consumer, thus harming the brand’s reputation.
There are an estimated 263 technology companies out there that are actively working on various types of automotive products, ranging from in-car software to self-driving vehicle systems.
Every one of those software products is likely to have vulnerabilities at some point in its lifecycle that will require a patch to fix.
A smart car is seen on a screen while a worker sweeps the stage before the Mercedes-Benz & smart Media Night at the 2015 New York International Auto Show in New York March 31, 2015. REUTERS/Andrew Kelly
What investors should consider
Last year, the U.S. government set an important precedent for all industries — including car makers — when it issued a recall for RF-enabled pacemakers. It also set a key precedent for the auto industry when the U.S. National Highway Traffic Safety Administration (NHTSA) launched a recall query into Fiat Chrysler Automobiles’ recall of 1.4 million vehicles for the 2015 Jeep hack.
For investors, the key takeaway from both of these incidents is that the U.S. government is taking cyber threats seriously, particularly when they pose a direct danger to a person’s physical safety. Given the very nature of the automotive industry, there is a stronger likelihood of government intervention in the aftermath of a significant cyber event than for most other industries.
Many investors have grown numb to corporate data breaches since they rarely do much long-term damage to the company. Massive breaches from Target and Home Depot to Yahoo and Uber have come and gone. And while they’ve certainly dented the bottom line and in some cases even caused heads to roll at the top, they have rarely disrupted the company to a significant extent.
But automakers are different.
If a cyber attack succeeds against a particular car model or brand, the results could be extremely disruptive. Consumers could be in immediate physical danger. Injury and/or loss of life could occur. Immediate action will be required.
Investors need to think about the cybersecurity issue for car makers because it poses a long-term problem for this industry. How each automaker deals with software security will be critical to its reputation among consumers and to its financial performance.
Jason Glassberg is co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.