Skip to main content

Are connected cars really safe? Experts at SXSW 2014 aren't sure

As cars get connected, they'll face some of the same security threats as other networked devices. But there's one big difference between a hacker gaining access to your laptop and to your car: A security breach on the former can be a bummer, but a hack of the latter could be hazardous to your life.

Perhaps because cars have lagged behind other devices in getting connected, protecting vehicles hasn't gotten the attention and resources that other Internet security concerns have. There have only been a few instances of cars being hacked, and most were for research purposes. But that's changing as connected cars become more ubiquitous and therefore a more sought-after target for scammers.

Car hacking was the topic of a panel at SXSW Interactive in Austin last week, and part of a larger Connected Car Pavilion that I co-produced. The panel brought together representatives from the world of Internet security, academia, and government policy to discuss aspects of protecting connected cars that ranged from who owns a driver's data to the motivation behind car hacking.

Panelists included Damon McCoy, assistant professor of computer science at George Mason University; Judith Bitterli, chief marketing officer at AVG Technologies, Karl Heimer, senior research director of the Cyber Innovation Unit at Battelle; and Catherine McCullough, executive director of Intelligent Car Coalition. Moderating the panel was Mike Courtney, founder of the market research firm Aperio.

Despite headlines generated by several research projects, which have demonstrated that car hacking is possible via a physical connection to the car, the panelists generally concurred that, while an imminent threat is more media hype than an on-the-road reality, the issue needs to be addressed.

"Today, the risk of [attack] is low," said McCoy. "Hopefully, tomorrow we'll have built an infrastructure that anticipates and prevents [attacks]."

"The car industry needs to invest in developing best practices" added Heimer. "We have a narrow window of opportunity that we're using to aggressively develop and implement robust, efficient, hardened automotive systems that resist attack."

One question that comes up often in this debate is who owns the data generated by a connected car and how can it be safeguarded. "At this point, ownership [of connected car] data is really undefined," said Bitterli, who added that car companies "need to work to secure and keep the confidence of consumers."

Bitterli's company has called for a "nutritional label" of sorts within mobile apps so that it's transparent to customers what data is collected and how it is shared, a tactic that could also be applied to cars.

But McCoy added that, unlike with computers and other technology, a uniform approach may not work for cars. "We have to be careful when considering a cyber-safety rating for cars, because the car is just one piece of the puzzle," he said.

McCoy said that we have yet to see car hacking become a problem because there's little motivation beyond maliciousness. He noted that high-profile hacks into bank and credit card accounts have financial incentives. "Given the [monetary] motivation of most hackers, the chance of [automotive hacking] is very low," he said.

Before that happens, McCullough believes that "as with banking and e-commerce, we will probably see a market response to intelligent car cyber risk." And in the same way that the security industry has quickly responded to threats in other areas, McCullough thinks it will also be able to stay ahead of car hacks.

"Tech is always a moving target," she said (no pun intended), "and it also has powerful ability to self-heal."

Elsewhere at SXSW, Snowden delivered a live keynote where he accused the NSA of "setting fire to the Internet."