Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Carmakers Accelerate Security Efforts after Hacking Stunts

Manufacturers are trying to improve cars’ computer security, even as they add functionality that could open up new avenues for attack.

The ability to control a car remotely could pose a major safety risk.

Your next car might come with a great safety rating or reliability score, but how hackable will it be?

Security researchers recently demonstrated several tricks for hacking into cars in order to take control of components such as the stereo and windshield wipers, and even the engine and brakes. In one example, a pair of experts remotely deactivated the braking system on a Jeep Cherokee as a journalist drove it down the road.

Unsurprisingly, carmakers have begun taking computer security a lot more seriously, but they have been blindsided by the speed of technological change within the industry, and especially by how the addition of connectivity has opened cars up to attack. At the same time, they are rapidly adding new functionality that will require extra security scrutiny.

The electric-car maker Tesla is ahead of the curve, with a car that is both highly computerized and connected and relatively well protected against hackers. Unlike most cars on the road, the latest Model S features an internal computer network that separates different systems, making it harder for hackers to jump from one system to the next. The experts who breached the Jeep, for instance, used the entertainment system as a way to access other vehicle components. Other carmakers are now developing similar systems, says Joshua Corman, an independent security researcher who consults with car companies. “There’s really no reason to have the stereo speak to the brakes,” he says.

Carmakers are also reviewing their approach to dealing with security flaws and bugs, meaning they will invite security researchers to alert them to problems and work with them to get them fixed (rather than threatening to sue them, as has happened in the past). Tesla has offered cash bounties to those who disclose such problems. Several experts in the field say other car companies may soon do the same. Corman says two automakers had planned to reveal a new approach at Defcon, a major computer security conference in Las Vegas, but were deterred by the negative press attracted by the Jeep hack.

More carmakers are also devising ways to patch the software on their cars remotely, to address problems more quickly. So far, only Tesla and BMW are capable of this, but Ford recently said it would introduce the functionality in its vehicles, although it did not specify when.

Many experts say carmakers need to do much more, though. Corman also advocates, among other things, adding a “black box” to the computer network inside vehicles so that hacking attacks could be recorded and traced after the fact. Such a device, or something similar, might also be used to detect and stop an attack in progress.

Academics have been hacking cars for years (see “Taking Control of Cars from Afar”). But the introduction of cellular connectivity has made it easier to compromise a vehicle. Craig Smith, a security researcher who tests security for many carmakers, says he has performed feats similar to the Jeep hack in that capacity. “When it comes to finding an exploit, there are only a couple of new things you need to learn,” he says.

Most automakers are letting smartphones connect to the dashboard via Apple’s CarPlay and Google’s Android Auto (see “Rebooting the Automobile”). Even if a car lacks its own cellular connection, these systems will allow a driver to view apps, maps, and messages on the console and find information online.

Carmakers, as well as Google and Apple, say these systems pose no threat, because both essentially project the phone’s screen onto the car’s display. “They do not manipulate data,” says Brad Stertz, a spokesman for Audi, which is adding CarPlay and Android Auto to vehicles.

But security experts aren’t so sure. Charlie Miller, one of the researchers who hacked the Jeep Cherokee, says he has not examined CarPlay or Android Auto but believes they are “probably a vector,” meaning they might provide a way to access the rest of a car.

Kevin Mahaffey, CTO of Lookout and one of the researchers behind a recent Tesla hack, says this is a possibility that needs to be considered. “As cars and phones communicate a lot more, I think it starts to blend the security issues together,” he says. “I can’t make any announcements about future research, but the intersection of phones and safety-critical systems is happening more and more, so it’s an area we’re paying a lot of attention to.”

It is certainly still pretty challenging to hack a car. The Jeep hack involved reverse-engineering and reprogramming a computer chip in the vehicle’s entertainment system. Still, the requisite skills are starting to spread, as more exploit source code is published and more people become interested in vehicle security.

Corman says around 10 experts were teaching people how to hack car hardware at the Defcon event: “The population of car hackers is growing quickly.”

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.