IHS Automotive has been tracking the growing threat of car hacking as connected cars become the norm. It is not easy, but it is possible to wirelessly take control of connected car systems and core control systems as shown in the recent hacking attacks on the Chrysler Jeep by two cyber-security researchers as described in a Wired article. This is definitely a scary event that will have a significant impact on how the auto industry view the cyber-security. Here are some perspectives on what happened, what it means and what the impact will be.
According to the report, two researchers were able to hack the Chrysler Uconnect system via a Sprint Smartphone and find the IP address of many Chrysler vehicles. Then they were able to use their previous research on CAN-bus protocols and additional research on how the Chrysler Uconnect telematics system works to hack into the infotainment systems and into the core Jeep control systems such as the brakes and steering. This means that they could remotely control most of the Jeep driving functions and infotainment functions. They were able to do this due to an apparent flaw in the Uconnect system, which Chrysler has already corrected in a new software version. Since Chrysler does not have remote software updates yet, it will take time for all the owners to get this software updated via dealer visits or a USB download and Uconnect update by the car owner. The details of the hacking attacks are not available as the researcher have not released details-except to Chrysler. More information will be available at a cyber-security conference next month, but the researchers will not release all the software they have developed. Reports indicate that Chrysler has asked the researcher to release less information than planned at next month's conference.
What does it mean?
The first question is what does it mean for Chrysler Uconnect car owners? Fortunately, it very unlikely that these vehicles will be attacked from other hackers. The reason is that the research spent a large amount of effort (probably a few man-years) to acquire the knowledge to this. Hence, other hackers would need to spend a lot of time to get equivalent expertise. But the Chrysler owners should get the software update as soon as possible-just in case.
For the auto industry, this is a very important event and shows that cyber-security protection is needed even sooner than previously planned. Five years ago, the auto industry did not consider cyber-security as a near-term problem. This view has changed-especially since the research in 2013 by UCSD and University of Washington showed that wireless hacking of vehicles was possible. The report by Senator Edward Markey on cyber-security earlier in 2015 increased the urgency at most OEMs to add hacking protection for connected car systems. He, along with Senator Richard Blumenthal, introduced a bill yesterday in Washington on the subject.
NHTSA started a cyber-security research project several years ago and is expected to release guidelines on what the auto industry needs to do about cyber-security. Other organizations, such as Southwest Research Institute, also have research into automotive cyber-security. Most auto OEMs are also increasing their effort in cyber-security for future systems. Additionally, there are now products from cyber-security companies that the OEMs can use for better protection.
What is the impact?
The main impact is that cyber-security will be one of the toughest challenges that the auto industry will face in the next decade or two. This event shows that the auto industry needs to add cyber-security protection as soon as possible and this must start with a thorough review of existing connected car systems and update these when problems are found.
The growth of software Over-the-Air (OTA) is also likely to increase with cyber-security updates becoming an important reason to add OTA. These OTA systems already have built-in cyber-security and choosing OTA-vendors is likely to include their cyber-security capabilities. Note that IHS Automotive is currently working on an OTA report for customers to be available later this summer.
What are the solutions?
IHS Automotive forecasts that more than 82.5 million autos worldwide will be connected to the Internet by 2022, more than three times the 26.5 million connected cars this year. In seven years, 78 percent of the cars sold globally will be connected, up from 30 percent now, according to IHS.
Long-term, cyber-security will be required for all cars that have any connection to any device-especially Smartphones. In principal, the solutions are straightforward, but the details are exceptionally difficult. Each connected car needs perimeter cyber protection and operational cyber protection. Perimeter protection is needed for all wired and wireless access points that check and ensure any data, software or other contents are safe and comes from a legitimate source. Operational security is needed because perimeter security will never be 100% secure. Hence, operational security checks the messages that flow between the computer systems in the car to check for suspicious behaviors that are compared to a database of valid messages. These solutions include layers of hardware and software-based cyber-security solutions that receive increasing capabilities as the potential hackers gain expertise in how the auto electronics systems work.
Cyber-security will become a major challenge for the auto industry and solutions are long overdue. The auto industry is adding cyber-security, but the question is whether it is fast enough to avoid major incidents. Fortunately, there is not a compelling business model for hacking into cars that will generate revenue for the typical hacker-at least not yet. Indeed, the car can be a lethal weapon for disruption and destruction, but this falls into cyber-warfare categories and could cause very serious events, but is not expected to be what the vast majority of hackers will do. The auto industry can strengthen this point by adding cyber-security solutions that make it more expensive and time-consuming to be successful and thus lowering the desirability or profitability of hacking cars.