Hot Wheels: Carmakers strive to stay ahead of hackers

In your garage sits a machine with more lines of code than a modern passenger jet. Today’s cars and trucks, with an internet link, can report the weather, pay for gas, find a parking spot, route around traffic jams and tune in to radio stations from around the world. Soon they’ll speak to one another, alert you to sales as you pass your favourite stores, and one day they’ll even drive themselves. While consumers may love the features, hackers may love them even more. And that’s keeping many in the auto industry awake at night, worried about how they can stay one step ahead of those who could eventually play havoc with the world’s private transport systems. 

Hackers seemingly can’t wait for the opportunity to commandeer vehicles. In 2019, the automotive cybersecurity company Karamba Security posted a fake vehicle electronic control unit online. In under three days, 25,000 breach attempts were made, and one succeeded. The best-known vehicle takeover occurred in 2015 when security researchers on a laptop 10 miles away caused a Jeep Cherokee to lose power, change its radio station, turn on the windshield wipers and blast cold air. Jeep’s parent company, FCA, recalled 1.4 mn vehicles to fix the vulnerability. Today, the effects of a breach could range from mildly annoying to catastrophic. A hacker could steal a driver’s personal data or eavesdrop on phone conversations. Nefarious code inserted into one of a vehicle’s electronic control units could cause it to suddenly speed up, shut down or lose braking power. A fleet of cars could be commandeered and made to steer erratically, causing a major accident. 

A hacked EV could shut down the power grid once the car was charging. Even altering a street sign in ways imperceptible to the eye can trick a car into misperceiving a stop sign as a speed limit sign. And last year, Consumer Watchdog, a non-profit group in Santa Monica, Calif., sent a “!Hacked!” message to the screen of a Tesla. The problem goes beyond demonstration intrusions. Karamba has been working with a South American trucking company whose fleet was hacked to hide it from its tracking system, allowing thieves to steal its cargo unnoticed. And a quick internet search will reveal scores of successful but benign hacks against many major automotive brands. 

“To take control of a vehicle’s direction and speed: This is what everyone in the industry is worried about,” said Ami Dotan, Karamba’s chief executive. The challenge may be even greater than securing the world’s airlines. According to a McKinsey & Company report on automotive cybersecurity, modern vehicles employ around 150 electronic control units and about 100 mn lines of code; by 2030, with the advent of autonomous driving features and so-called vehicle-to-vehicle communication, the number of lines of code may triple. 

Cybersecurity companies must protect a vehicle in multiple ways. Threats include SIM cards carrying malicious code, faked over-the-air software updates, code sent from a smartphone to the vehicle, and vehicle sensors and cameras being tricked with wrong information. Major software and hardware suppliers to the world’s manufacturers build in firewalls to ensure that such elements as infotainment systems are prevented from passing code to systems that regulate speed, steering and other critical functions. Vehicle electronic control units are being designed to send an alert if one system that normally never communicates with another suddenly tries to do so. And they’re also locked down, so that an attempt to inject new code will be thwarted.