Car hacking danger grows with move to autonomous vehicles

Hacking cars may seem a distant threat right now, but a dangerous "Hindenberg moment" could be nearing, due to the advent of autonomous cars, two researchers with the US automotive guide publication Kelley Blue Book have warned.

Hindenberg moments – potential lifetaking catastrophes – occur as new technologies take an initial leap forward, but risks have not been foreseen or adequately addressed.

"I think we're going to see this when we go from non-connected, human-controlled cars to connected, non-human controlled cars – which is where we're going now," Karl Brauer, senior director, automotive insights, with Kelley Blue Book told an audience at the RSA security conference in San Francisco recently.

Unfortunately, this is to be expected according to the typical S-curve that applies to innovations, he says. When a certain level of advancement is reached with a new technology – the first rise in a sideways- plotted S-curve – most slip backwards before the next leap addresses the initial problems.

In automotive technologies, this has been the usual trajectory for innovations such as automatic braking systems (ABS) and airbags, which first caused some deaths due to unexpected technological issues before becoming reliable enough to routinely prevent them, the researchers said.

The recent minor crash between a Google autonomous car and a bus in California – where the car reversed into the bus's path in order to avoid an object – offered an example of an unforeseen autonomous car glitch, Brauer said.

“We’re going to see more of them before we see less of them,” he added.

Akshay Anand, Kelley Blue Book's manager for commercial insights, said the world was moving more swiftly towards autonomous vehicles that was anticipated even just a few years ago.

Drivers increasingly view such cars positively, too. In a study carried out by the company, 42 per cent of respondents liked the idea of an autonomous car, especially for its perceived “convenience factor”, and that number rose to 66 per cent among the younger millennial generation.

However, 51 per cent still said they’d be “extremely reluctant” to get one, and 24 per cent were “reluctant”. Just 15 per cent were “eager” for an autonomous car, while 10 per cent were “extremely eager”. Again, millennials were the most enthusiastic, with 42 per cent either eager or very eager to have one.

But 62 per cent of respondents said they feared cars would be hacked in the future.

That perception is probably valid, said Brauer.

Ar one time you simply couldn’t hack a car, but now “there are more pathways to hacking a car than ever before”. Researchers have shown cars do have vulnerabilities.

A Tesla was hacked through its internet- connected entertainment system. Another car was hacked using a smartphone on a Bluetooth connection, and hackers demonstrated they could access General Motors cars using their OnStar communications system.

“You have a wide range of options if you’re a hacker trying to get into a car. You’d think people would be questioning if [adding in new technologies and net connections is] a good idea,” says Brauer. “But interestingly, 30 per cent already think, if a car doesn’t have the technology I want” – such as an internet-connected entertainment system – “I’ll move on to another car.”

According to Anand, internet connectivity in cars – a potential door for hackers – is becoming the norm. In 2011 two vehicles had standard internet access. Only five years later, it’s 133, he said.

“A lot of cars are just jumping over to standard, so you’re connected whether you like it or not. And whenever a new car is sold, that car’s going to be connected.”

Still, as far as they were aware, all hacks to date had been experiments in a controlled environment.

Perhaps that’s why car hacking doesn’t particularly worry drivers yet as a safety problem. In the survey, distracted or impaired drivers and mechanical problems were respondents’ top safety concerns.

Hackers seriously worried only 4 per cent of people in the January 2016 survey, a tiny rise from 3 per cent expressing concern last July. Millennials were more worried, with 12 per cent seeing it as a potential issue.

Hacked remotely

Awareness of what can and can’t be done is low. Some 58 per cent believed any car could be hacked remotely, but this wasn’t the case, Brauer said.

The survey showed some people were sure they could identify particular brands of cars had been hacked in the past, when they hadn’t.

And 74 per cent said they had never heard of a car that had been successfully hacked remotely, even though hackers successfully managed to take over the controls of a Jeep the previous year, in a demonstration that received widespread news coverage.

The bad news for car makers is that respondents overwhelmingly thought car manufacturers should be held responsible for hacks, even though the few successful hacks have generally been done using features or parts supplied by third parties.

“Consumers point to it being someone else’s vulnerability” to fix, Brauer said.

If a vehicle were to be hacked through a car owner’s own mobile device, 29 per cent still thought it was the car manufacturer’s fault to address.

And even though 82 per cent said they believed cars were likely to be hacked through mobile apps in future, only 13 per cent of people said they would never use an app if it increased the potential for their vehicle to be hacked.

Three successive Kelley Blue Book surveys in 2015 and 2016 indicated the vast majority of car owners would ultimately opt for technologies and apps, and choose convenience over risk.

Consumers varied in the approaches they were willing to take to prevent attacks. In the survey, just under half were willing to pay for anti-hacking software that might cost about $9 a month.

A larger number, 56 per cent, said they’d pay for insurance to cover hacking. But again, people felt it the onus was on car makers to offer the software service or insurance.

“Consumers put the burden, no matter what, on vehicle manufacturers,” said Anand.

Anand said he thought that hacking a car that is fully autonomous was “almost like a ransomware hack”. He imagined a future in which a hacker might drive the car to an ATM remotely and demand the passenger withdraw and then deliver cash.

Cyberterrorism

Brauer said a fairly innocuous hack to turn off an individual car could have serious impact if hackers halted numerous cars on a highway. Cars “had the potential to become a target for cyberterrorism, if someone can mess with your driving and braking.

“And how do you know if your car has been hacked? If you don’t drive your car every day, maybe it’s something you don’t notice right away. There’s just a lot to think about in the future.”

Because consumer vigilance isn’t strong, pressure should be on the car and device consortia creating potentially hackable technologies and services, said Anand.

Automakers should develop research teams, crowd-source vulnerabilities, and collect information on every hack, he said. The US government has started focusing on such issues, but in reality “this is something we should have been focusing on as soon as cars began to become connected”.

“It seems a little bit behind the curve, right? We’ve known this was coming for a while,” added Brauer, noting that if 2016 was the year in which hacking potential began to be taken seriously, it would be 2020 before any concrete action was taken.

Perhaps drivers need to consider one other unexpected consequence of autonomous cars, said Brauer.

“Nothing is going to happen to a connected car that’s going to be a mystery. They’ll have cameras, sensors, data logging.”

So, if your autonomous car is involved in a fender-bender, “all I can say is, it better not be your fault as a human, because the connected car is going to have all the evidence to prove that it’s your fault”.