Researchers and ‘white-hat’ hackers have cyber attacks on modern cars. It is simple: identify flaws and loopholes in vehicles and fix them before malicious intent can exploit them. Cracking an automated, connected vehicle is unclear what criminals stand to gain.
Cyberattacks are based on the targets. Some may be motivated by financial gain, while political motives may drive others. Military operations have also seen cyber warfare become more common. Hacking a moving object is an obvious challenge, considering that successful cyber attacks have been carried out on stationary devices for many decades.
Experts recognize that hackers will seize any opportunity to monetize vulnerable systems, and the risk of extortion or ransom theft of personal property with an autonomous vehicle (AV) is real.
Is it worth the money?
Green Hills Software’s Director of Automotive Business Development, Chuck Bookish, said that although money isn’t the only motivator for cyber attacks, it is a common one.
Cyber attacks can be for many reasons, including money, terror, or just because hackers can do it. He explained that most of the time, there must be a financial incentive for people to use the resources to carry out such attacks. “There would be financial reasons to attack modern vehicles with ransomware cyber-attacks.”
In June, Chris Urmson, Chief Executive and Founder of Aurora spoke at a virtual panel discussion hosted partly by AV education group PAVE. He noted that most cybercrime is about making money but that there isn’t much to be made from taking control of a vehicle.
“Professional hacking does not mean fame and honor, it is about money and business. This is why the automotive domain is a desirable target,” stated Rasmus Adler (Program Manager, Autonomous Systems, Fraunhofer Institute for Experimental Software Engineering).
Although it isn’t clear whether hackers can target AVs for profit, it is not something the automotive industry should be concerned about. Many automakers offer ‘Bug Bounties’ to help researchers find vulnerabilities. This is a serious investment in cyber security. Independent penetration tests have shown flaws in everything, from infotainment systems and wireless key fobs to smartphones and OBD ports.
The Jeep Hack, the subject of the first legal dispute of its type, is perhaps the most well-known case. After years of pinballing through the US legal system, it was finally thrown out by a US court. However, there have been few better examples of the potential for skilled hackers.
Held to ransom
There is money to be made by using electronic systems to steal modern vehicles– . Some believe that cars could be programmed to drive to the location of criminals. These cars can be worth up to US$40,000 each, as most of the connected and partially-automated models are in the premium sector.
Cyber attacks can also gain access to private data stored in vehicles with relative ease. Researchers have already obtained detailed insights into travel habits, including the dates and times of each trip as well as the location of the vehicle. Researchers can now see how hackers could use the car’s electronic wallet to steal money from the driver.
Steve Wernikoff is a litigation partner at Detroit-headquartered law firm Honigman LLP and previously served as a senior enforcement attorney at the Federal Trade Commission (FTC). He is now the firm’s Data Security and Privacy Litigation and Autonomous Vehicle Practices co-leader. He explained that hackers could get valuable data from vehicles, which may store sensitive personal information, such as data on phones that are paired with them.
Rebecca Chaney, a partner with Crowell & Moring’s Mass Tort, Transportation, Digital Transformation practice, shares a similar viewpoint. She observed that cars increasingly contain valuable personal information that hackers could use, including biometric and location data and passwords for connected devices. And unlike cell phones and laptops, where users are more knowledgeable about how to protect themselves, vehicle owners might not be as proactive in protecting data within their vehicles.
Hackers can remotely control steering, acceleration, and braking using driver assistance systems.
Hackers can access safety-critical driver controls, such as the acceleration, brake and steering systems. This increases the risk. Christian Jung, Head of Security Engineering at Frauenhofer IESE, stated that automation generally reduces the chance that an operator will avoid an accident. “We assume that autonomous hacking vehicles will have more serious consequences than traditional vehicles.
Wernikoff suggested that hackers may be able to prevent vehicle access if ransoms are not paid. “And if hacker could gain access a fleet of vehicles, they could theoretically require ransom from the owner to get access to that fleet. This could be disruptive and lucrative hack.”
Bookish, Green Hills Software’s director of security, agrees that holding an AV hostage seems not so far-fetched. Ransomware attacks against corporations are a growing concern. “We keep seeing more cyber security news stories about them,” he said. He said that although ransomware is most prevalent on corporate servers, the ability to hold entire fleets of vehicles hostage could have devastating consequences not only for the automotive company but also for the customers who use those vehicles.” “In such a case, the companies could be forced to pay ransom to keep their customers operating.”
Crowell and Moring’s Chaney said that hackers could use ransomware to demand money to stop an attack and explain how it happened. She stated that automakers and other industry players are well aware of the threats and have been using best-in-class technology to stop them.
Authorities recommend that ransomware bounties not be paid. This is due to the uncertainty that criminals behind the screens will hand over personal data. The consequences of not paying a ransom to a runaway virus agent could make it impossible to pay them. Chaney noted that hacking a self-driving vehicle could boost a hacker’s reputation and open up opportunities for paid work.
Hacking is a growing passion.
Hacking into an organization’s computer system is a tried-and-true process, but the perpetrators are rarely brought to justice. A cyber attack on modern vehicles may be too costly and time-consuming at this stage. Hackers have new opportunities to make a living by developing electronic systems in connected, automated, and electric vehicles.
Wernikoff stated that hacking a vehicle connected to a computer is the same thing. “A connected vehicle, or a group of computers, is a computer,” Wernikoff explained that although the basic concepts of hacking a computer and a vehicle are similar, the risk level is quite different. The vehicle can be stationary, weigh at least two tonnes, and travel at speeds exceeding 70mph.
An AV hack could cause immediate damage to the industry. But the consequences are more than just inconvenience and lost profits. A hacker who controls a fleet fleet fleet could put public authorities under severe pressure. Human lives could also be at risk.
Wernikoff stated that hackers could gain vehicle access and cause serious injuries if they could disable them while moving. These hacks are purely theoretical, and they have only been demonstrated to be possible in very controlled research situations. However, these hacks have the potential to bring about both profit and harm. This is why they will likely be tried again.