OEMs Scramble To Bolster In-Car Cyber Security
Until about 18 months ago, car makers generally downplayed the threat of a hack attack on the increasingly sophisticated systems found on-board a modern automobile. Cars were difficult to hack, according to car makers, and they actually seemed surprised when some researchers actually did it. It turns out the cars are far easier to hack that the car makers have ever admitted and the spotlight is now shining on their vulnerability as highlighted on the CBS news program 60 Minutes, a contentious report from the staff of Massachusetts Senator Edward Markey, an article in NAFA FLEETSolutions magazine as recently as last year, and the move by BMW to send out a security patch to some 2.2 million vehicles with connectivity systems.
In fact, Andrew Brown, the Chief Technology Officer at Delphi Corp., said during a discussion on automotive cyber security organized by Center for Automotive Research in Ann Arbor, MI, that Delphi actually invited a small group of Black Hat hackers to put on a demonstration for car makers and their suppliers last summer. One of the demonstrations was conducted by a 14-year-old computer whiz, who used a handful of components he bought at Radio Shack for less than $20 to break into a vehicle’s system, Brown noted.
Car makers have been protected from hacking up until now because the "malicious" hackers have bigger and better targets, said Anuja Sonalker, a cyber security expert from the Battelle, a private research institute based in Columbus, Ohio. Hacking into one car doesn’t accomplish much for a hacker, she said. It’s more likely they would use a car as the "springboard" into a larger target, such as computers and servers used by police officers or financial institutions. The panelists also noted there are dozens of ways for hackers to reach into a car’s operating system. Connectivity and Wi-Fi systems are one way, but USB ports and radio signals offer other avenues.
The good news for automakers is that there plenty of standards developed in other industries, notably the aerospace industry, where cyber security is fundamental issue in engineering systems, have basic standards that could transfer to the automobile business, according Brett Hillhouse, an engineering executive at IBM. Up until now, car makers have attacked the cyber security on piecemeal basis; however, a more systematic and all-encompassing approach is required. Every time car makers add an electronic feature, such as keyless entry, you create portal for potential hackers, Hillhouse told the session. But the security issues were rarely addressed and never in any kind of comprehensive fashion.