- Cybersecurity wasn't always a consideration for automakers, but advanced infotainment and tech features have left modern cars vulnerable to virtual attacks.
- Stalking, illegal data collection, and jail braking are all examples of present-day vehicle hacking, though experts fear that advanced driver-assistance and semi-autonomous driving systems could also be affected.
- NHTSA reports and independent, good-faith hacking events like the 2023 Pwn2Own Hacking Competition allow manufacturers to understand and observe deficiencies firsthand.
With hundreds of thousands of dollars on the line at the Pwn2Own Hacking Competition, a group of hackers from Synacktiv, an offensive security company, had quite the incentive to display the cybersecurity weaknesses of Tesla's Model 3. Tesla, a company famous for its lacking public relations but also for its technology, actually volunteered the Model 3 for this hacking test, in an effort to explore just how vulnerable modern cars are. And the short answer is that all cars, even Teslas, are generally vulnerable.
The team at Synacktiv was able to compromise the Model 3's infotainment through Bluetooth, ultimately gaining access to the top level of internal code. Everything besides the Autopilot system was available for hackers to disrupt remotely. This involuntary adjustment of lighting, maps, and music may seem diminutive for roadway safety, but it sets a dangerous precedent for the future of connected cars.
Tesla's participation should be cautiously praised for furthering automotive cybersecurity prowess, though the company isn't exactly known for keeping its customers' data safe. A new privacy breach lawsuit against Tesla has illuminated a lack of virtual safety even from within, and consumers are starting to catch on to a new venue of cybersecurity considerations. Of course, cars aren't just a frame, an engine, and wheels anymore but rather a system of electrical systems.
But if other OEMs are at a similar risk of penetration, should consumers spend their waking hours worrying about the cybersecurity of their vehicles? Is their personal information safe? And will a compromised navigation system drive them into nearby bodies of water?
Dustin Childs, head of Threat Awareness, Zero Day Initiative at Trend Micro, says consumers shouldn't panic about these issues, mostly because they can't do much about it alone. However, Childs says cybersecurity is set to be a defining factor for the auto industry, as manufacturers develop new infotainment and tech features at a rapid pace.
"In the next five to 10 years, we will see something big in automotive security that happens and hopefully it's just a big recall. It's more likely than not that something will happen very negatively when it comes to automotive technology," Childs tells Autoweek in an interview.
The systems at risk will vary by vehicle and the kind of threat, though a few key features are of particular interest to both sides of the cybersecurity spectrum. As most modern vehicles feature advanced driver-assistance systems and even some semi-autonomous capabilities, experts' worst fear is that bad actors will maliciously disrupt the movement of a vehicle.
This problem may be exacerbated by the slow shift away from hydraulically connected vehicle controls, as computer-operated drive-by-wire style controls could be more susceptible to remote attacks. The infiltration of navigation systems even poses a significant risk for stalking and targeted theft. Of course, your personal data and information are always at risk, and a connected vehicle provides yet another entry point.
Alternatively, there are some gray-area reasons for hacking into the infotainment of your vehicle. For example, Childs says subscription-based features like heated seats or certain screen functions could be easily jail-broken, allowing consumers to skirt monthly payments for already installed features. This could also allow for the integration of custom functions or displays from the infotainment screens, like those who stream videos from their Tesla.
In either case, these virtual intrusions pose a challenge for automakers, who are now tasked with creating a mechanically and technologically sound product. In order to build virtually secure vehicles, you need to understand how bad actors actually get in. And Childs says that Bluetooth, WiFi, and other external connections like charging ports are often to blame, given these systems are designed to connect with other devices.
"Obviously, the systems need to talk to each other, but we need to make sure that it's the right systems giving the right messages, and there's not an opportunity for a threat actor to send the wrong messages and the wrong communications between the systems," Childs explains. "In a way, it's a bit like the Titanic, in that it was designed so that water could come in and then be stopped."
Childs says these kinds of infiltrations are happening now, and it will likely only get worse as cars get more advanced. The National Highway Traffic Safety Administration concurs as it has already recorded 1.4 million vehicles impacted by a 2015 cybersecurity recall. Furthermore, the federal agency issued a 24-page memo on best practices for automotive cybersecurity, with a primary focus on the mitigation of safety-critical risks and containing intruders.
Even so, manufacturers continue to roll out new, personalized tech features, in order to stay competitive in a fierce market. For example, Hyundai's Ioniq 6 will feature a Metaverse connection while the Polestar 3 and Volvo EX90 boast internal electronics from Nvidia, Luminar, and Qualcomm. All of these features make up the selling points of these models, whether for safety reasons or modern social media connectivity, but they might also offer an entry point for hackers too.
In fairness to every automotive manufacturer, it's obvious that cybersecurity is massively important, with many automakers employing specific cybersecurity engineering teams. And it's not a problem with a clean, easy solution either, given the complexity and mystery factor of potential future attacks. Despite this, Childs says he doesn't want consumers to be driven away from technology by fear, because it's not a bustling dark market just yet.
"Really, more than anything else, it's profitability. Right now there's no money in taking out these cars," Childs says. "If there comes a time where a threat actor can really figure out how to monetize their research, even in a negative light, then it's much more likely to pop out."
Should more manufacturers participate in good-faith hacking events? Why or why not? Please share your thoughts below.
A New York transplant hailing from the Pacific Northwest, Emmet White has a passion for anything that goes: cars, bicycles, planes, and motorcycles. After learning to ride at 17, Emmet worked in the motorcycle industry before joining Autoweek in 2022. The woes of alternate side parking have kept his fleet moderate, with a 2014 Volkswagen Jetta GLI and a 2003 Honda Nighthawk 750 street parked in his South Brooklyn community.
