Summary: The auto and tech industries must do a better job of communicating the facts of vehicle data and network security, acknowledging the potential vulnerabilities of these systems to “hacking” as well as promoting the countermeasures being implemented. The purpose of this is to recapture the narrative from those that would otherwise sensationalize the issue and create unnecessary panic among consumers when considering vehicles with connected features and services.
We believe that there are genuine vulnerabilities to any vehicle that is connected in some way to the Internet or to network gateways with the potential of being hacked. Yet, with the high level of noise emanating from the business and tech communities about how vulnerable drivers are in their new, technology-laden vehicles, we believe there is a need for objective, fact-based dialogue on what the real threats are, where we stand today on vehicle electronics security and what measures being undertaken by car companies and the tech industry in general to identify and anticipate these intrusions.
Hackers looking for a challenge gravitate, of course, to the emerging targets such as the automobile. The threat is there, but the dialogue we are hearing is overly simplistic. We have been treated to headlines such as “How Hackers Could Slam On Your Car’s Brakes” for instance. The demonstration by security researches Charlie Miller and Chris Valasek that drove this headline did not actually remotely hack a car; the demo required a physical presence in the vehicle, partial disassembly of the dashboard and a hardwire connection to the vehicle ODBII port through a laptop computer interface.
This demo begs the questions: What constitutes vehicle “hacking” versus vehicle “tampering?” What true value can we derive from a demo that goes out of its way to manually override drive systems by any practical means irrespective of whether they are “connected?” A computer-free 1963 Ford Galaxie 500 could be “hacked” to misbehave if given the same access to the car’s electrical and hydraulic systems.
While the duo is doing the auto and tech industries a slight favor by correctly pointing out potential hacking vulnerabilities, they are also showing the countermeasures that are already in place to prevent such intrusions.
We believe the issue needs to be framed more honestly and for the purposes of creating the right narrative that is correctly understood by developers, automakers and consumers.
First off, we need to identify some basic shortcomings in data and network security that could be exploited. Devices as innocent as the USB drive have proven to have serious security flaws in their compatibility-over-security design that could import malware onto a vehicle’s infotainment platform and possibly elsewhere. Off-board, cloud-based data security must also be vastly improved to sustain the integrity of on-board cybersecurity systems in place. And while pointing out the specific security shortcomings of existing connected and on-board vehicle systems is not practical – countermeasures are being developed in real time via reverse-engineering by some of the most capable hackers available – we must encourage the auto and tech industry to remain ever-vigilant and never stop innovating against hacking intrusions.
Secondly, a narrative must be promoted that explains how the auto industry is rising to the challenge of the National Highway Transportation Safety Administration by collaborating industry-wide to establish standardized guidelines for cybersecurity. The Alliance of Automobile Manufacturers recently initiated such a collaborative resource and encourages businesses, government and academia to work together to stay ahead of hackers.
Lastly, the auto and tech industries need to quickly and decisively take back this narrative by addressing concerns raised by the business and tech media as well as those from tech conferences and “hackathons,” and by mobilizing communications on this issue in a coordinated manner. We don’t encourage putting forth positions that are reactive or argumentative. Rather, we must take much of the effort previously mentioned here and create proof points and digestible facts that can be confidently repeated in context with more realistic, industry-promoted reporting of connected technology and the true challenges it faces.