By Alan Grau, VP of IoT, Embedded Systems, Sectigo
There have been a few real-world cases where white-hat hackers and researchers have been able – in limited, controlled instances – to actually hack into a car’s electronics and communications systems, and take over the steering and acceleration systems. This highlights how cars can be hacked into, potentially causing real damage.
However, there are other scenarios that might not be as obvious or as dramatic.
For example, if a car’s computer is infected by a virus, this could greatly reduce its engine’s efficiency or its maximum driving speed?
The virus can do something even less dramatic, such as prevent the car from locking/unlocking its doors or closing/opening its windows, or simply prevent it from starting. This is not dangerous, but it is disruptive, posing a disaster for the automobile’s manufacturers.
Motor City Ransomware
Electric Vehicles require sophisticated control and safety technologies for their electrical power systems to safely manage the high voltages stored in and distributed from their battery systems. If something goes wrong, the car cannot operate, people could get electrocuted, or the car could burst into flames or even explode. These are real dangers that are managed by the car’s network of fuses, circuit breakers and control systems.
What would happen if a cyber hacker got into these sensitive electronic systems and turned off the safety and control system? And, why would someone do this? The answer in most cases is money, of course.
There’s the potential that following the hacking or infectiong of the vehicle, that these “bad guys” should have the software or security keys to fix the problems, but hold them as ransom, jeopardising an automaker’s entire fleet of new cars. How many millions (or tens of millions) of dollars would the automaker pay to get that solution?
Holding a manufacturer hostage is a very real possibility, as evidenced by the results that today’s hackers are getting by attacking hospitals and cities, successfully extracting substantial ransoms to just return these institution’s data. In a recent WIRED article, “The Biggest Cybersecurity Crisis of 2019 So Far”, which discusses the risks to “things” and across supply chains, the FBI explained: “We are seeing an increase in targeted ransomware attacks. Cyber criminals are opportunistic. They will monetise any network to the fullest extent.”
Pre- and Post-Assembly Infections
It is possible that cars could be infected before they even hit the auto dealers’ lots. Bad actors have the capability to infect a small electronic part, essential to the auto-manufacturing food chain, purchased from one of the hundreds of component suppliers.
How could auto manufacturers possibly test each electronic element? It is almost impossible, and requires that parts manufacturers themselves take more care in their software development process to ensure the software in these components are not infected during manufacturing process, or during the testing and shipping processes.
Of course, cyber infections could happen on the actual assembly line where the cars are put together. With many car manufacturing plants using IoT connected robots and machines, there is always a possibility of infection happening on the assembly line.
These components could even become infected after assembly, during the manufacturers’ testing and process. Infection, during installation, or with after-market parts and upgrades, could arise after the vehicles arrive at the dealers’ facilities.
Already aware of the possibility and the potential disastrous effects of infected cars reaching the market, manufacturers throughout the supply chain need to become more aware of how their devices could be attacked and infected even before they leave the warehouse. This means embedding IoT security from day one – from the smallest electronic components to final assembly of motors, transmissions and other large vehicle components.