A coordinated cyber-attack on connected cars in the US could case thousands of deaths and cripple national infrastructure, according to a new report from Consumer Watchdog, which goes so far as to compare the potential impact with the 9/11 terrorist attacks on New York and Wahsington.
Consumer Watchdog has called for ‘kill switches’ to be installed as standard in vehicles to enable all vehicular connectivity to be severed instantly, in the event of attack. It said car makers are putting profits before safety and security, and has urged lawmakers to step in if car makers and telecoms players do not offer ways to secure connected vehicles by the end of 2019.
“Using smartphone technology in cars – technology that was never designed to protect safety-critical systems – is a recipe for disaster. A plausible scenario involving a fleet-wide hack during rush hour in major US metropolitan areas could result in approximately 3,000 fatalities, the same death toll as the 9/11 attack,” says the report.
Consumer Watchdog does not mince its words. The report, subtitled ‘Why connected cars can be killing machines, and how to turn them off’, is intended to set alarm bells ringing.
The process to hack vehicles en masse is feasible, it says, via the cellular-connected ‘head unit’ (or ‘infotainment system’). “A hacker with only modest resources could launch a massive attack, potentially causing thousands of fatalities,” it says. So-called “expert hackers” confess in the report that “time and money are the only things that stand between them and hacking a fleet of cars”.
The head unit is connected to the vehicle’s CAN (controller area network) buses, which link the vehicle’s most critical systems, including the engine and brakes. “Connecting safety-critical components to the internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the internet,” the report re-states.
“Software design practices that result in frequent hacks of everything from consumer electronics to financial systems cannot be trusted in cars, which can endanger not only the lives of their occupants, but also pedestrians and everyone else on the road.”
Consumer Watchdog says it worked with the automotive and technology industries for five months to assess the dangers of attacks on connected vehicles. Most vehicles on American roads will be connected to the internet by the end of 2019; two thirds will be connected by 2022, it said.
The report says: “Seventeen million new cars are deployed on American roads each year in which the mechanisms that control movement – accelerating, steering, and braking – can be overridden by computers and software. This has been accompanied by a growing trend of connecting cars to wide-area communications networks, making them part of the internet of things.”
It goes on: “This is a dangerous combination, as it creates the potential for hackers to take control of vehicles remotely…. Consumers will soon have no haven from the online connections that threaten them. To protect the public, carmakers should install 50-cent ‘kill switches’ in every vehicle, allowing consumers to physically disconnect their cars from the internet and other wide-area networks.
“Otherwise, if a 9/11-like cyber-attack on our cars were to occur, recovery would be difficult because there is currently no way to disconnect our cars quickly and safely. Mandatory ‘kill switches’ would solve that problem.”
The report laments that automotive industry executives are “aware of the risks”, and yet “putting corporate profits ahead of consumer safety and national security”. It points the finger at top car brands for failing to police the technology they install in their products.
“Tesla, Audi, Hyundai, and Mercedes rely heavily on software written by third parties. This includes open source software, like Android, Linux, and FreeRTOS. This software often comprises contributions from hundreds or thousands of different authors around the world, and there is usually little accountability for flaws.
“Consumers are driving cars whose systems run on unfinished and under-tested software. Despite working on the problem for more than a decade, carmakers have proven incapable of creating internet-connected vehicles that are immune to hacking, which is the only standard that can keep consumers safe.”
Regulators should require automakers to disclose the authorship, certifications, and testing of critical software in their vehicles, and make chief executives at car companies accept legal liability for the cyber-security status of their cars. Cars should also be fitted with ‘kill switches’ at the earliest date, and future designs should separate safety-critical systems from infotainment systems.
Consumer Watchdog has asked legislators and regulators to mandate these protections if car makers do not commit by December 31, 2019.
It referred to a “veil of secrecy” around automotive software, safety cover-ups, and “sloppy testing practices”. In response, telecoms test company Keysight Technologies took the opportunity to promote its suite of solutions for validating connected vehicles technologies, to make sure they are not hijacked and turned into ‘killing machines’, as per the Consumer Watchdog’s warning.
Keysight is offering solutions to test and measure connected vehicle technologies and component parts, both individually and as part of a final vehicle, for sale to motorists. It is also able to validate 4G and 5G radio infrastructure, as per its regular offer to network operators, for connectivity between connected vehicles and cloud operations.
Mark Pierpoint, president of Keysight’s Ixia Solutions Group business, commented: “Potential issues identified post production, with the risk of recalls, cost orders of magnitude more to repair than when found during pre-deployment testing, notwithstanding the possible loss of human life. Continued detection and mitigation of cybersecurity threats once vehicles are on the road are equally critical to keep consumers safe. Cybersecurity testing is an essential defence.”
Mark Pierpoint, president of Keysight’s Ixia Solutions Group business, commented: “Potential issues identified post production, with the risk of recalls, cost orders of magnitude more to repair than when found during pre-deployment testing, notwithstanding the possible loss of human life. Continued detection and mitigation of cybersecurity threats once vehicles are on the road are equally critical to keep consumers safe. Cybersecurity testing is an essential defence.”
