The car industry is fast approaching a dangerous crossroads. As automakers embrace the digital age, there is growing evidence that cyber security may have been left behind in the race to incorporate the latest technology into new models.
Fiat Chrysler is the latest car manufacturer to own up to a major digital security flaw in its vehicles. It is now recalling 1.4 million vehicles in the wake of a highly-publicised story in the US’s Wired magazine detailing how software programmers were able to take over a Jeep Cherokee being driven on a Missouri highway. This is the latest in a string of in-car software vulnerabilities which have been identified by various carmakers. Last year, for example, BMW had to issue a patch for 2.2 million cars that link to its ConnectDrive platform.
The Fiat Chrysler recall, however, is being seen as a landmark event for the auto industry. Previous industry concerns over digitalisation have largely focused on security flaws that allowed hackers to open door locks or gain access to corporate networks via in-car infotainment systems.
But the Jeep Cherokee cyber breach enabled the hackers to take control of the vehicle's brakes and accelerator.
Crucially, the hackers were able to accomplish this via a zero-day exploit, enabling them to take remote control of Jeep Cherokees via the internet by sending commands through the Jeep’s entertainment systems to dashboard functions such as steering, brakes and transmission.
Although some super criminal remotely hijacking a vehicle containing a head of state or aiming a petrol container at a government building may sound like a far-fetched plot from the latest James Bond movie, the reality is far more sinister. While super criminals and Mafia hit-men are mainstays of film and pulp fiction, in 2015 state actors and terrorists represent a much greater global risk.
Western powers such as the US and the UK are only now starting to wake up to the scale of this threat. Industrial espionage and economic sabotage and are already well-used weapons in the cyber arsenals of powers such as Russia, China and Korea. At this point in history, however, it appears unlikely that they would add assassination of heads of state or the destruction of government buildings to their cyber skillsets, even if they were able to hack into a vehicle carrying a president or a prime minister or direct a container load of explosive materials at a seat of government.
Terrorists increasingly tempted to exploit these weaknesses
But the same cannot be said of the terrorist groups that are now springing up across the Muslim world. As more vulnerabilities start to appear in digitally enhanced vehicles, the world's terrorists will be increasingly tempted to exploit these weaknesses to create maximum disruption and confusion in Western economies. Although the obvious targets for kidnapping or assassination are political heads or captains of industry, lawmakers and other individuals who play a significant role in the economy are also potential targets.
It is also increasingly possible that state actors posing as terrorists might covertly orchestrate such an attack to destabilise a rival power. It is part of the nature of cyber espionage and cyber terrorism that the true source of an attack can be almost impossible to trace.
Although an attack may appear to have emanated from, for example, Syria, this could be a smokescreen designed to hide the fact that the attack was an attempt perpetrated by a rival super power to destabilise a Western economy.
The more wireless connections, the easier vehicles are to hack
This is a problem which is now set to grow as manufacturers increasingly incorporate digital technology into new vehicle designs without paying sufficient regard to security. The auto industry's digital revolution began over a decade ago with the introduction of infotainment systems into high-end models. Encouraged by positive consumer reaction to being able to access online in-car music, navigation systems and emails, carmakers have become increasingly ambitious.
Today's Internet-connected vehicles are soon to be superseded by cars that communicate with one another, respond to wireless communication from traffic lights. Some will have safety systems that will automatically apply the brakes to avoid a collision.
In the US, Google’s self-driving cars are reported to have covered almost a million miles of road already. So far, Google is attributing any collisions that may have occurred to human error on the part of people driving other vehicles; they may well be right. But the high level of digital sophistication in cars like these opens a whole new Pandora’s Box of cyber threats for road users.
The problem facing the industry is that more wireless connections cars have then the greater the number of onboard IT systems, the easier the vehicles are to hack. There is now growing evidence that in-car software vulnerabilities now beginning to pose a safety and well as a security risk.
Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.