It has only been a little more than a decade since the introduction of the smartphone, yet they have now replaced laptops and desktops as the primary personal computing device. As we become so used to being connected to the Internet anytime and anywhere, more and more “things” now come equipped with such connectivity. One of the most common Internet of Things (IoT) devices are vehicles, but what happens when vehicles connect to each other and infrastructure?
How does vehicle connectivity work?
Most new cars in 2020 come with either embedded (built-in) or tethered (brought-in) internet connectivity, or a mixture of both. Vehicles with embedded connectivity are equipped with a built-in modem to directly receive cellular data, while those with tethered connectivity borrow the driver’s smartphone data to access the Internet (similar to WI-FI hotspots).
Most automakers offer embedded connectivity free trials for a few months, after which the driver would need to pay for continued internet access. This works similarly to a smartphone plan. For instance, AT&Tprovides a connected car data plan at cost per month for coverage in the US and Canada.
Some automakers offer embedded connectivity only for critical functions such as remote control and crash notification, and require tethered internet for all other entertainment purposes.
Whether having embedded or tethered internet connectivity, connected vehicles bring a lot of convenience and joy to the drivers. They have remote control features that allow users to unlock the doors, turn on the engine, and adjust the in-vehicle environment via their smartphone. They allow users to listen to the news, search for information, and access their smartphone all through voice control. In addition, they provide high definition streaming media content for both drivers and passengers.
Why hack a connected vehicle?
Wherever there exists an internet connection, there are security threats. The cyberthreats a connected vehicle system faces are very similar to that of a traditional IT system, in which almost all threat actors are driven by financial or political motives. In the context of a traditional IT system, the three most common objectives of cyberattacks are:
1) to exfiltrate or encrypt data for financial gains (by using the data for phishing and identity theft, selling the data to third parties, or demanding a ransom),
2) to steal intellectual property from adversaries (either businesses or political units), and
3) to disrupt operations and activities of adversaries (either businesses or political units).
In contrast, let us take a look at the most common objectives for someone to attack a car:
Vehicle theft
Believe it or not, vehicle thefts are still common. Over 150,000 vehicles were stolen in California alone in 2018 according to the Insurance Information Institute. Connected cars with smart or digital keys might decrease the chance of theft from unskilled thieves, but could as well increase the chance of theft from high-skilled hackers.
Personal data theft
Connected vehicles collect and store tons of personal data. At the very least, they store the driver’s contact list, call history, calendar, search history, entertainment preferences, driving history, and location data. Some might even store financial information for automatic payment of toll fees and EV charging fees. Attackers who gain the data may use them for identity theft, sell them to third parties, or blackmail the car owner for ransoms.
Personal attack or terrorism
This is perhaps the most concerning risk involving connected vehicles. When used abusively, cars have the potential to cause serious physical damage and death. When a threat actor hacks the system and takes full control of a car, the car becomes a destructive weapon that can be used to target specific individuals or the general public. What’s worse is that such a crime would be very difficult and expensive to solve as cybercriminals are much harder to catch.
Notice that under the third objective, a so-called cyberattack has crossed the line of cyberspace to threaten our physical safety. This has always been the biggest concern of autonomous driving. To prevent criminal groups and terrorists from destroying our transportation system, governments must work with industry experts to establish a complete international regulatory compliance for vehicle security.
In a traditional IT system, we create the network, then secure it. In a connected car system, we secure first, then ride. Having an unsecured car network is essentially the same as having a bridge built with substandard materials. This is why it is critical for us to understand where the weaknesses come from and protect them accordingly. To read more on the specific threats modern vehicles face, click here.