Hackers Revving Up For Connected Car Era
July 25, 2016 (Cy-Pher) — In the era of connected cars, it seems like everyone is concerned about hackers exploiting security vulnerabilities and putting the safety of drivers and the public at risk. While most of us typically think of hackers taking over our laptops or smartphones, we rarely think twice about them taking over the steering wheel, shutting down the engine or disabling the brakes. This is not a hypothetical concern. It was serious enough for the FBI to put out a statement this year reminding the public that it should avoid making modifications to their car’s software and to pay special attention to software updates/recalls by auto manufacturers.
With GSMA Research estimating that almost every car on the road will be connected by 2035 and that 75% will be autonomous by 2025, it is no surprise that auto manufacturers are concerned about cyber threats. In response, the Automotive Information Sharing and Analysis Center (Auto-ISEC) last week released a set of cyber-security best practices for connected cars – an initiative that designed to demonstrate the collective commitment by automakers to make modern cars safer against emerging cyber threats. China also announced a similar initiative last week by setting up a committee that will research and work out standards, policies, laws and regulations for connected car. The question is whether these initiatives are enough and whether they are being built into the auto manufacturer’s R&D processes – especially where all auto manufacturers are rushing to bring new products to market.
How real of a threat do hackers pose to connected cars? The most famous example of how hackers can take over a vehicle was last’s year’s demonstration where researchers were able to remotely hack into and shutdown a reporter’s car on the highway. There have been other documented examples where thieves have used software vulnerabilities to open locks and steal cars.
In an environment where auto manufacturers are competing in the connected car business (and soon, driverless), there is a real concern whether security is an afterthought rather than a central focus at the R&D stage. There are real concerns around the legal issues resulting from the rise of the connected car, for example:
- What is the liability of the manufacturer? There are many ways for vehicle software to be updated, ranging from wired to over-the-air updates. Should a software security vulnerability be brought to the manufacturer’s attention but an accident occurs before the update can be provided to drivers (or during the update rollout period), what will be manufacturer’s liability?
- What Will Insurance Coverage Look Like? While cyber insurance has seen exponential growth in recent years, insurers are struggling with what falls within cyber coverage and what should be covered under existing insurance products. It remains unclear how insurance coverage will evolve in the auto space and whether it will be sufficient given the risk hackers pose to connected cars.
- Is Anyone Thinking About Privacy? The cost of connected cars is data – lots of it. Drivers will be asked to provide significant amounts of personal data to manufacturers to “customize” their driving experience. Everything from geo-location, trip itinerary, etc. will potentially be disclosed to the manufacturer. Depending on the type of information, hackers may be tempted to steal this information and sell it on the dark net. Given the potentially granular detail that can be pulled from the connected car of the future, it is unclear how this information can be used to harm drivers not to mention the potential compliance issues connected with global privacy regimes.
- Using Vehicles As A Weapons. There is a real concern that criminals and terrorists may use connected vehicles as weapons to spread fear and destruction. Given the anonymity and low cost associated with hacking, there are concerns that this may be a tempting option. It is unclear at this stage how much collaboration exists between auto manufacturers, regulators and security agencies on this issue.
It is clear that connected cars are here to stay and will continue to evolve. Auto manufacturers are working hard to offer innovative products to drivers and hoping, in the process, to get a leg up on the competition. However, security has to be a primary focus in any product development and rollout – otherwise the cost can be very high for the auto manufacturer, the driver and public.
Imran Ahmad is based in Toronto and leads the cybersecurity law practice at the Canadian law firm Miller Thomson LLP.