Automakers have gotten more serious about protecting motorists from car-related cyber threats, and not a moment too soon.
Amid growing concern from Congress and the traveling public, a dozen major manufacturers established an Information Sharing and Analysis Center (Auto-ISAC), which became fully operational in January. Already, the organization’s leaders say they’ve thwarted attacks by sharing threat intelligence and information on vulnerabilities.
The fledgling organization’s leaders discussed their efforts and the overall state of automotive cybersecurity this week during the TU-Automotive conference in suburban Detroit.
Their remarks came only days after British security researchers announced they had exploited vulnerabilities in a Mitsubishi Outlander plug-in hybrid that allowed them to manipulate certain vehicle functions. Researchers from Pen Test Partners say they found minimal security measures on the vehicle and easily tapped into the onboard Wi-Fi to access features controlled by the infotainment screen. As the number of connected vehicles mushrooms across the globe, the possibility of similar security breaches grows.
The Bigger Worry: Ransomware
But automotive cyber threats will likely change in nature going forward, moving away from the research-based meddling that the industry has seen so far and toward ransomware attacks, which have plagued other industries and offer malicious hackers the prospect of big paydays. To date, ransomware attacks have largely targeted hospital and healthcare facilities that rely on real-time information to provide critical care for patients. Hackers threaten to lock vital computer systems until a ransom is paid.
Automotive experts warn that hackers could conduct similar attacks on connected cars, disabling them in similar fashion until they get paid. Or worse.
“We’re lucky that no one has hacked an entire brand of cars and said, ‘I’m going to stop all your cars tomorrow at noon, unless you give me money,’ ” said Stefan Gudmundsson, director of strategy for cellular products at u-blox, a Swiss company that builds wireless semiconductors for car companies.
That’s the sort of broad-based hack that has worried Department of Defense officials since six years ago, when researchers at the University of California-San Diego and the University of Washington first demonstrated that it was possible to breach the electronic systems in cars. Until recently, the auto industry seemed slow to address vulnerabilities. The remote hack of a Jeep Cherokee by researchers Charlie Miller and Chris Valasek, disclosed last summer, finally brought those worries—from both the industry and federal officials—to the forefront.
Cooperation to Confront the Threat
Industry leaders had already started work on establishing Auto-ISAC by that point, but the Jeep hack accelerated their timeline and expanded the scope of their plan. Now, Auto-ISAC officials are adding suppliers to their group faster than anticipated. Delphi was the first to join, earlier this year. Jonathan Allen, executive director of Auto-ISAC, said four more suppliers are expected to join the organization within a week and it’s possible another eight more companies will join by the end of June. One of them might be Google.
“Google is a major one, especially with their relationship with FCA,” Allen said. “We’re in discussions with Google.” A Google spokesperson declined comment.
Read more of the original article at Car and Driver.