For as long as there have been internet-connected vehicles, hackers have been trying to break into them. Several have succeeded. And their numbers are growing.
In 2010, researchers at UC San Diego and the University of Washington showed how hackers could gain access to a 2009 Chevy Impala through its OnStar in-vehicle safety system. Once inside, they were able to control the brakes and eavesdrop on conversations within the car.
Five years later, security researchers Charlie Miller and Chris Valasek remotely commandeered a 2014 Jeep Cherokee with Wired reporter Andy Greenberg behind the wheel. By exploiting a flaw in the car’s cellular connection, they were able to kill the engine, cut the brakes, and hijack the steering from 10 miles away. (Chrysler later issued a recall for 1.4 million vehicles containing the flaw.)
And late in 2021, 19-year-old researcher David Colombo hacked into more than two dozen Teslas in 13 countries from his home in Munich, Germany. He was able to control locks, lights, and temperature, as well as learn a car’s location and the owner’s email address.
The Jeep hack was a serious wake-up call for carmakers and automotive suppliers, which began taking cybersecurity much more seriously. “When it comes to critical systems within the vehicle, a lot has progressed since 2015,” says Jennifer Tisdale, CEO of GRIMM, which helps auto suppliers identify and mitigate security vulnerabilities. “Is there still a ways to go? Absolutely.”
Tisdale’s big questions are about long-term security: What happens after a vehicle leaves the lot and is in the wild for years? When vulnerabilities are identified, will carmakers promptly issue software patches? And will individuals and businesses do a better job of keeping their cars updated than they’ve done with their computers
“We don’t have an answer for that yet,” she warns.
The threat of automotive hacks has an impact on everyone, including and especially operators of commercial vehicles, whose fleets could be held hostage, costing them millions in downtime and ransom payments. Or, worse, an adversary could commandeer a company vehicle and turn it into a weapon, endangering reputations—and lives—in the process.
Here’s what business owners need to know about the growing risk of automotive cyberattacks.
Black hats on the attack
Historically, security researchers and so-called white hat hackers working on the side of industry have uncovered most automotive cybersecurity flaws. But that’s starting to change.
Hackers are looking at areas where there is money to be gained, whether that’s ransomware attacks on fleets or stealing sensitive data.
In 2021, malicious actors performed nearly 57% of the 240 known automotive attacks, according to Upstream Security’s annual Global Automotive Cybersecurity Report. That’s up from just under 50% prior to 2020.
According to the report, incidents in 2021 had the following characteristics:
- 85% involved remote access to a vehicle.
- 40% were data breaches of servers that communicate with connected vehicles.
- 24% took remote control of important car systems, often via mobile apps. (Tesla hacker Colombo gained access via TeslaMate, a third-party app.)
“Hackers are looking at areas where there is money to be gained, whether that’s ransomware attacks on fleets or stealing sensitive data, such as customer billing details from hacked EV charging stations,” says Guy Molho, vice president of products at Upstream, whose security technology is installed in more than 10 million vehicles worldwide. “The general rule is simple—they’ll focus on achieving the highest payday.”
Ransomware attacks on fleets are the number one concern for researchers at GRIMM, Tisdale notes. There have already been multiple attacks on trucking companies over the past few years, although nearly all have centered on back-office fleet management systems. While no direct attacks on vehicles have been reported, they’re a key concern of the nearly $800 billion U.S. trucking industry.
A massive cyberattack surface
Internet-connected and autonomous vehicles are particularly susceptible to exploits because of the daunting complexity of their software systems.
Modern cars contain anywhere from 40 to 150 electronic control units (ECUs), computer chips that control everything from the temperature inside the cabin to automatic braking when that 18-wheeler in front of you suddenly screeches to a halt. The software running on these ECUs consists
of more than 100 million lines of code—many times more code than what’s found in the U.S. Air Force’s F-35 Joint Strike Fighter, for example.
Vehicles are also a data-rich target. Connected and autonomous cars generate massive amounts of data. (Estimates range from 300 gigabytes to 32 terabytes a day.) It’s a trove of information about drivers’ locations, driving habits, billing details, and car performance, which attackers could use to extort or embarrass companies and high-profile individuals.
The vehicles most vulnerable to attack are those offering external interfaces like key fobs, telematics, entertainment systems, and third-party apps, notes Slava Bronfman, CEO and co-founder of Cybellum. Its platform enables auto suppliers to create digital twins—virtual simulations of cars and their components—that can be probed for vulnerabilities from their initial design through the life cycle of the vehicle.
Bad actors look to attack vehicles with the fewest protections, adds Tisdale of GRIMM. In 2015, that was the car or truck itself. Today, it’s the entire environment in which the vehicles operate, which includes the servers, satellites, and cell towers they communicate with, as well as infrastructure like smart traffic lights, embedded roadway sensors, and charging stations.
Time to regulate
The computer industry learned relatively early that sharing information is essential for identifying and mitigating security threats. That’s why the U.S. Computer Emergency Readiness Team (US-CERT) was created, and why databases like Mitre’s list of common vulnerabilities and exposures (CVE) exist.
Billions have been invested in these technologies, and we’re not going back.
Auto manufacturers and suppliers have traditionally been averse to sharing information with competitors. That began to change in 2015 when the industry established the Automotive Information Sharing and Analysis Center (Auto-ISAC). Even so, says Tisdale, security vulnerabilities are still a sensitive topic for many in the industry.
But new regulations from the United Nations Economic Commission for Europe (UNECE) are compelling automakers to up their cybersecurity game. The regulations establish cybersecurity performance and audit requirements for all new vehicle types sold in 2022 and all new vehicle registrations starting in 2024, notes Niranjan Manohar, director of consulting for connected cars and the automotive internet of things (IoT) at consulting firm Frost & Sullivan. While the U.S. is not among the 54 member countries of UNECE, American automakers will need to abide by its rules if they want to sell cars in countries that are.
The introduction of regulations is a major step, says Bronfman, but there’s still more work to be done. “While original equipment manufacturers (OEMs) and suppliers have started working on compliance, it’s still often seen as a requirement to be fulfilled instead of a means to make vehicles bulletproof from cyberattacks,” he adds.
It won’t be easy, warns Manohar. “Limited technical expertise and huge upfront costs involved in executing new processes will challenge in-house implementation for OEMs,” he says. As a result, major automakers and suppliers are partnering with security companies like GRIMM, Upstream, and Cybellum, among others.
Dumb to be smart?
Frost & Sullivan predicts that 86% of cars rolling off the assembly lines in 2025 will be connected to the internet. And nearly all cars sold over the past few years contain some form of automated driver assistance technologies that could be targeted in an attack, such as adaptive cruise control or hands-free steering.
If you’re not already using a connected or semi-autonomous car or truck, you soon could be. But your options for securing them are minimal: You can’t download your own software to protect your iPhone on wheels, and you won’t be able to log off.
Automotive companies will continue to provide updates to their security and other internal software, says Manohar. But how secure will these updates be? Will companies be able to perform a complete firmware-over-the-air update? Will consumers or business employees be fooled into accepting malicious updates, as they often are with their computers? These are problems that car manufacturers and suppliers still need to solve, he says.
Companies that own or operate connected fleets will need to employ the same or better cyber hygiene and patch management policies as they do with their other digital assets—and keep a close watch on new threats as they arise.
Upstream’s Molho believes consumers and companies will make buying choices for cars and trucks in the future based in part on security features, which will force manufacturers to respond. Bronfman recommends that the auto industry adopt a cybersecurity rating system, similar to the National Highway Traffic Safety Administration’s safety ratings.
Until then, companies and consumers need to do whatever they can to protect themselves.
“In the hacker community, we have a saying: ‘It’s dumb to be smart,’” Tisdale says. “Now we have smart cars, smart cities, and intelligent transportation systems. Billions have been invested in these technologies, and we’re not going back. So the question becomes: How can we work collectively to ensure security?”