Cybersecurity experts agree that despite all the hand-wringing and worrisome articles about what hackers may do to the connected car, their primary motives are far more conventional. The experts don't expect hackers to take over cars and drive them off cliffs -- with you inside -- instead, they believe cybercrooks want your identity and money.
Although you may be worried that some nefarious hacker will take over your Volkswagen Golf GTi, Audi A4 or Genesis G80 and cause it to careen all over the place, hitting other cars, trucks, animals and finally smash into a utility pole, that’s not the direction cyber-moles will use. Instead, cyber experts agree havoc on the highways isn’t the primary goal of cyber-criminals.
Rather, cyber experts say hackers are interested in something much more old-fashioned. It’s pretty dull, too. They want your identity and, if they can get it, your money, as well.
Auto Hacker Takeovers Unlikely
Craig Smith, security research director at Rapid7, said that “hacking … a car and controlling it … would be a psychotic thing to do … few people would want to do that.” No, he said, it takes time and energy to hack your Audi or Genesis (or whatever car you may be driving), so there has to be some payday for them. That means they are “usually after data.”
Pointing to automotive connectivity, Di Ma, in an interview with Automotive News, believes criminal hacking attempts are a certainty. To date, most of the hacks have been by white hat researchers. It makes it hard to predict the outcome when real-world criminal hacks will occur in the future. Ma is a professor at the University of Michigan Transportation Research Institute.
Andre Weimerskirch, the Lear Corp.’s vice president of cybersecurity, said that while there are no concrete examples, security experts have some idea of what would attract hackers. The analysis is based on the currently perceived capabilities of hackers as well as the threats that other heavily networked industries have faced. As they say, money here is at the root of the problem. Physical attacks on cars would be conducted only by a small number of bad actors.
Since “safety-critical attacks don’t provide any obvious money return,” Weimerskirch wrote, cyberpunks will “try to find exploits that provide a financial return.” Weimerskirch made his observation in an email to the Automotive News. Here are the exploits cyberthugs might try:
- Cellphone cracking – Many devices – smartphones or tablets -- connect to a car’s systems via the USB port, making the device a part of the vehicle’s electronic universe. As part of the car’s Hackers could get into it and steal credit card and identity info. Also, the cyber-thieves could try to take over apps and, using location data, either access your home network and steal its information or break into your home, when you are not there. They can determine your schedule from your devices if you use them to store it.
- Easier vehicle theft – Cyber-crooks can easily open your car’s door locks and steal your car, without using a Slim Jim.
- Ransom – Some cyber-gangsters could try to take over a car, forcing an owner to pay a ransom to regain control.
Conversations Are Important
It may also be possible, thanks to widespread vehicle connectivity, to locate police car or to eavesdrop on backseat conversations via an auto’s Bluetooth microphone, Smith told the trade paper. Limos may make attractive targets of opportunity. “Conversations in the back of a limo can hold” lots of value. Limo chats make things far more “interesting for an attacker.”
And, consider this, automotive connectivity is still rolling out. IHS Automotive has estimated that fully 55 percent of all cars sold across the globe will be connected. Today, about 50 percent of all cars have some networking.
Interestingly, while the auto industry is rushing toward the connected car at breakneck speed, it is a lopsided race. Lost in the wake of the rush is cybersecurity. Here are some sobering statistics:
- While all makers are pushing connectivity only 40 percent have dedicated cybersecurity units.
- Automakers aren’t prepared to take on hackers. A McKinsey and Company report puts the number of automakers ready to handle the hacker threat at less than 50 percent
- There’s a huge hole in protection. Most automakers say they have huge exposures to cyber-crime. Fully 85 percent put assess their cybersecurity threat level at medium to high.
Sensible Defensive Strategy
Faced with such a security nightmare, Rapid7’s Smith laid out a sensible defensive strategy:
- Automakers must constantly watch for software bugs and other weak spots.
- Automakers need to respond to vulnerabilities with software updates. Tesla consciously pushes out software updates via its over-the-air network. They make fixes as they find the problems.
- Automakers must set aside their innate need for secrecy and open lines of communication across the industry so that all potential problems can be found and fixed before any hackers use them.
These actions will contribute substantially to making cars hacker-proof. However, Smith said, “even if you do everything right, something could have a bug in it somewhere down the road.” It means that the industry has to keep its guard up to protect consumers.
Why all the pointing at VW
Why all the pointing at VW and Audi Marc? Many/most brands systems are "hackable".