Skip to Content

Carmakers Accelerate Security Efforts after Hacking Stunts

Manufacturers are trying to improve cars’ computer security, even as they add functionality that could open up new avenues for attack.
August 14, 2015

Your next car might come with a great safety rating or reliability score, but how hackable will it be?

Security researchers recently demonstrated several tricks for hacking into cars in order to take control of components such as the stereo and windshield wipers, and even the engine and brakes. In one example, a pair of experts remotely deactivated the braking system on a Jeep Cherokee as a journalist drove it down the road.

Unsurprisingly, carmakers have begun taking computer security a lot more seriously, but they have been blindsided by the speed of technological change within the industry, and especially by how the addition of connectivity has opened cars up to attack. At the same time, they are rapidly adding new functionality that will require extra security scrutiny.

The electric-car maker Tesla is ahead of the curve, with a car that is both highly computerized and connected and relatively well protected against hackers. Unlike most cars on the road, the latest Model S features an internal computer network that separates different systems, making it harder for hackers to jump from one system to the next. The experts who breached the Jeep, for instance, used the entertainment system as a way to access other vehicle components. Other carmakers are now developing similar systems, says Joshua Corman, an independent security researcher who consults with car companies. “There’s really no reason to have the stereo speak to the brakes,” he says.

Carmakers are also reviewing their approach to dealing with security flaws and bugs, meaning they will invite security researchers to alert them to problems and work with them to get them fixed (rather than threatening to sue them, as has happened in the past). Tesla has offered cash bounties to those who disclose such problems. Several experts in the field say other car companies may soon do the same. Corman says two automakers had planned to reveal a new approach at Defcon, a major computer security conference in Las Vegas, but were deterred by the negative press attracted by the Jeep hack.

More carmakers are also devising ways to patch the software on their cars remotely, to address problems more quickly. So far, only Tesla and BMW are capable of this, but Ford recently said it would introduce the functionality in its vehicles, although it did not specify when.

Many experts say carmakers need to do much more, though. Corman also advocates, among other things, adding a “black box” to the computer network inside vehicles so that hacking attacks could be recorded and traced after the fact. Such a device, or something similar, might also be used to detect and stop an attack in progress.

Academics have been hacking cars for years (see “Taking Control of Cars from Afar”). But the introduction of cellular connectivity has made it easier to compromise a vehicle. Craig Smith, a security researcher who tests security for many carmakers, says he has performed feats similar to the Jeep hack in that capacity. “When it comes to finding an exploit, there are only a couple of new things you need to learn,” he says.

Most automakers are letting smartphones connect to the dashboard via Apple’s CarPlay and Google’s Android Auto (see “Rebooting the Automobile”). Even if a car lacks its own cellular connection, these systems will allow a driver to view apps, maps, and messages on the console and find information online.

Carmakers, as well as Google and Apple, say these systems pose no threat, because both essentially project the phone’s screen onto the car’s display. “They do not manipulate data,” says Brad Stertz, a spokesman for Audi, which is adding CarPlay and Android Auto to vehicles.

But security experts aren’t so sure. Charlie Miller, one of the researchers who hacked the Jeep Cherokee, says he has not examined CarPlay or Android Auto but believes they are “probably a vector,” meaning they might provide a way to access the rest of a car.

Kevin Mahaffey, CTO of Lookout and one of the researchers behind a recent Tesla hack, says this is a possibility that needs to be considered. “As cars and phones communicate a lot more, I think it starts to blend the security issues together,” he says. “I can’t make any announcements about future research, but the intersection of phones and safety-critical systems is happening more and more, so it’s an area we’re paying a lot of attention to.”

It is certainly still pretty challenging to hack a car. The Jeep hack involved reverse-engineering and reprogramming a computer chip in the vehicle’s entertainment system. Still, the requisite skills are starting to spread, as more exploit source code is published and more people become interested in vehicle security.

Corman says around 10 experts were teaching people how to hack car hardware at the Defcon event: “The population of car hackers is growing quickly.”

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.