To date, cyber attacks on modern vehicles have been led by ‘white hat’ hackers from the research community. The rationale is clear: find flaws and loopholes, and remedy them before those with malicious intent can exploit them. However, it remains unclear exactly what criminal operators stand to gain from cracking a connected, automated vehicle.
The basis for any cyber attack varies depending on the target in question: some may be financially motivated while others may be politically driven. Cyber warfare has also become increasingly common in military operations. Given that cyber attacks have been successfully carried out on stationary devices for decades, hacking a potentially moving object seems like an unnecessary challenge.
However, experts recognise that hackers will take any opportunity to monetise vulnerable systems, and the risk of extortion, ransom or theft of personal property remains real with the autonomous vehicle (AV).
Is there money in it?
Chuck Brokish, Director of Automotive Business Development at Green Hills Software, says that while money is not the only driver behind a cyber attack, it is typically a key motivating factor.
“There are many reasons we see cyber attacks, some for money, some for terror, and some just because a hacker can do it. Most of the time, there needs to be a financial incentive to spend the resources to perform such attacks,” he explained. “There would certainly seem to be monetary reasons to target modern vehicles in cyber-attacks for ransomware.”
Most cyber crime is about making money
Speaking in June as part of a virtual panel discussion hosted by AV education group PAVE, Chris Urmson, Founder and Chief Executive of Aurora, noted that “most cyber crime is about making money” but that “there isn’t really that much money to be made in taking control of a vehicle on the road.”
“Professional hacking is not about fame and honour, it is a business and in business money always plays an important role. With this in mind, the automotive domain is an attractive target,” noted Rasmus Adler, Program Manager, Autonomous Systems at the Fraunhofer Institute for Experimental Software Engineering.
Whether a hacker can specifically target an AV for profit is unclear, but it is not a risk the automotive industry can take. Serious investment has been directed toward the adoption of advanced cyber security solutions, and many automakers have offered ‘Bug Bounties’ for researchers to find weaknesses. Independent penetration tests have already exposed flaws in everything from wireless key fobs and infotainment systems, to smartphone apps and on-board diagnostics (OBD) ports.
Perhaps the best-publicised case is the Jeep Hack in 2015, which resulted in the first legal dispute of its kind. It was recently thrown out of a US court after pinballing around the legal system for years, but there has been no stronger example of the possibilities open to skilled hackers.
Held to ransom
At a basic level, there is certainly money to be gained by exploiting electronic systems to steal a modern vehicle—some believe cars could even be programmed to ‘steal themselves’ and drive to the criminal’s location. Given that most connected and partially automated models reside in the premium sector, these cars could be worth upwards of US$40,000 each.
If someone can hold an entire fleet of vehicles ransom, that could certainly have a devastating effect
Cyber attacks can also access private data that is stored in the vehicle with relative ease. Granular insights into travel habits—including the date and time of each trip and the live location of the vehicle—have already been attained by researchers. In the future, a car’s ‘electronic wallet’ might also provide a means for hackers to siphon money from under the driver’s nose.
Steve Wernikoff is a litigation partner at Detroit-headquartered law firm Honigman LLP, and previously served as a senior enforcement attorney at the Federal Trade Commission (FTC). He now co-leads the firm’s Data Security and Privacy Litigation and Autonomous Vehicle practices. “Hackers can obtain valuable data from the vehicles,” he explained, “which may store a fair amount of sensitive personal information about individuals, including data contained on phones that have been paired with the vehicle.”
Rebecca Chaney, a partner in Crowell & Moring’s Mass Tort, Transportation, Digital Transformation practices, shares a similar view. “Cars increasingly contain a treasure trove of personal information that could be valuable to hackers, from location and biometric data to passwords for connected devices,” she observed. “And unlike laptops and cell phones, for which users are more familiar with how to protect themselves, vehicle owners may not be as proactive in protecting data in their vehicles.”
If a hacker is able to access safety-critical driver controls—the acceleration, braking and steering systems—the risks become even greater. “The chances that an operator can avoid an accident generally decreases with an increasing level of automation,” said Christian Jung, Department Head, Security Engineering at Frauenhofer IESE. “Hence, we assume that the consequences of hacked autonomous cars would be more significant than for traditional vehicles.”
A hacker may be able to prevent access to a vehicle unless a ransom is paid, suggested Wernikoff: “And if a hacker could gain access to a fleet of vehicles, they could in theory require a ransom from the owner to gain access to that fleet, which could be a very disruptive and profitable hack.”
Green Hills Software’s Brokish agrees that the concept of holding an AV hostage is not as far-fetched as some may think. “We continue to see more stories in the cyber security news about ransomware attacks on corporations. Much of the ransomware today is on corporate servers, but if someone can hold an entire fleet of vehicles ransom, that could certainly have a devastating effect not only on the automotive company, but also the customers using those vehicles,” he said. “In that case, the companies would likely be forced to pay the ransom just to keep their customers operational.”
Crowell and Moring’s Chaney added that by deploying ransomware, a hacker could demand money not only to cease the attack, but also to explain how it was achieved. “With that said, automakers and other industry players are aware of these threats and are already using best-in-class technology to prevent them,” she affirmed.
Today, authorities tend to recommend that ransomware bounties are not paid—no less due to the fact that there is no guarantee that the criminal behind the screen will cede control of personal data once a payment is made. However, the implications of not settling a ransom for a runaway AV could mean that payments are unavoidable. “Hacking a self-driving car could also advance a hacker’s reputation and lead to paid opportunities for similar work,” noted Chaney.
A growing motivation to hack
Hacking an organisation’s computer systems is tried and tested, and the culprits are not often brought to justice. It may also be too time-consuming and expensive to execute a cyber attack on modern vehicles at this stage. However, the growth in new electronic systems in connected, automated and electric vehicles is opening up new opportunities for hackers to ply their trade.
“There is no longer much of a difference between hacking a computer and hacking a connected vehicle,” Wernikoff explained. “A connected vehicle is a computer, or rather a set of computers.” The basics of a hacking a desktop computer and a vehicle may be similar, but the level of risk is very different: one is stationary, while the other can weigh around two tonnes and travel at speeds in excess of 70mph.
In light of the potential profit and harm that can be done by such hacks, the motivation to attempt them likely will continue
The potential for immediate physical damage is what has the industry most concerned about an AV hack, and the ramifications are far wider than simply inconvenience or lost profits. Public authorities could be held to the sword by a hacker that has control over a fleet of vehicles, blocking roads, causing damage and putting emergency services under severe pressure. Human lives would also be put at risk.
“In theory, if a hacker gained access to a fleet of vehicles it could cause a serious incident if they were able to incapacitate the vehicles while moving,” concluded Wernikoff. “Most of these hacks are theoretical at this point and have only been proven possible in extremely controlled research scenarios. But in light of the potential profit and harm that can be done by such hacks, the motivation to attempt them likely will continue.”