Today’s car manufacturers will be tomorrow’s software companies as the industry accelerates toward electric and autonomous vehicles, according to Shawn Lorenz, vice president at Dellfer Inc., a company focused on creating unhackable code for vehicles.
“You’re going to see a very hard line dividing hardware versus software in the automotive space,” he says. “It’s a very exciting time.”
But along with mobility advancements comes another concern: the security of automobiles themselves, a topic that Lorenz says few are talking about, but that everyone should.
He explains that hackers have compromised or inserted malware into the networks of 55% of auto dealerships. While some hackers are after customer information, others are simply hacking in for the thrill of causing chaos and destruction.
But with vehicles, Lorenz maintains that more nefarious actors may be on the prowl. Here, he says, there’s the “potential for a wide-scale, mass-casualty event by an enemy state.”
A Wall Street Journal article titled, “Will Electric Cars and Trucks be the Next Playground for Hackers?” describes one nightmare possibility. “Hackers,” the author writes, “spread malicious software to thousands or millions of EVs. The attacks paralyze cars until their owners pay a fee in much the same way that ransomware can shut down an entire computer network until hackers get money. Even worse, hackers might corrupt an electric vehicle’s charging system and overload the battery, potentially igniting it, or hijack a vehicle’s acceleration or braking, leading to an accident.”
The frightening scenarios are possible if auto manufactures don’t secure the plethora of computer systems in today’s high-tech vehicles. All vehicles today are packed with hundreds of chips and software that control everything from batteries to motors, and cruise control to brakes.
Securing automobiles is complex because auto manufacturers have many vendors developing code for vehicle systems, says Dvir Reznik, vice president of marketing for C2A Security, which offers the automotive-grade DevSecOps platform to carmakers and EV charging companies.
“Vehicles are much more software-defined, yet unlike facbook.com or your iPhone, the carmakers themselves don’t write all of that software code but rely on their supply chain,” he says. “That third-party code often comes to OEMs as black boxes, and they don’t know what’s inside. They don’t know if suppliers used common security practices or standards when developing them.”
Research shows hackers can exploit the inherent security flaws in 4G/5G cellular connectivity, keyless entry key fobs, Bluetooth and other potential attack targets in today’s cars, according to Reznik.
When researcher Sam Curry tested the security of various automakers and telematics systems in 2022, he discovered massive security holes and vulnerabilities, reported an article by technology and science news site Arstechnica.
Curry began researching automobile cybersecurity after he discovered he could use an application to activate the horns and headlights of an entire scooter fleet. In the article, he says that almost every vehicle made over the last five years offers nearly identical functionality. Often, there are vulnerabilities in the APIs, or application programming interface, of vehicle telematics systems that hackers can exploit to remotely honk the horn, flash the lights, lock or unlock the doors, and start or stop the vehicle. The catastrophic outcomes arising from any of those events while a vehicle is in motion could be devastating.
Though cyber threats exist, Reznik maintains that they are not at the “Fast & Furious” level of hackers taking over a fleet of vehicles with just a few clicks. “However, given enough time, access and motivation, a hacker could find and exploit a vulnerability to do criminal things,” he says. “Hackers can exploit everything from keyless entry to remote start. They can start the car and just drive away or access infotainment systems to exploit your personal data. Nothing is 100% hacker-proof.”
To date, most reported hacks have been minor. The Wall Street Journal article indicated that hackers displayed pornography on public electric-vehicle chargers’ monitor screens in an April 2022 incident. The same year, hackers displayed pro-Ukrainian slogans on chargers along a major Russian highway.
According to Reznik, charging station security is a significant concern for the industry. “These stations often pose the weakest link, because they are stationary and relatively easy to access, yet most concerning is their connection to a critical infrastructure—the power grid,” he says.
Reznik warns that with the increase of electric vehicles on the road, cybersecurity risks will grow. “There are many ways hackers could infect electric vehicles and the charging network with malware,” he says. “And once inside the grid, they can potentially shut down the power supply to entire cities, or worse.”
To address those risks, Dellfer has partnered with several carmakers to batten down the hatches by securing auto ECUs, or electronic control units, and code updates. Wireless code updates make it easy for hackers to intercept and insert malware into code, which can affect thousands of cars.
Researchers showed how hackers could exploit security flaws in an internet-connected car as far back as 2015, hacking into a Jeep Cherokee’s electronics via a cellular connection to seize control of its steering, accelerator and brakes. The automaker recalled 1.4 million vehicles after the demonstration to install a software patch fixing the problem.
“Wireless updates introduce vulnerabilities,” Lorenz says. “Today it’s done using Wi-Fi and cellular via over-the-air updates that directly change the software of the car. Encryption is required to make that upgrade available, but being able to inject the right code into the software is more problematic and further complicated via the large amount of open-source code.”
Dellfer capabilities work to discover unknown vulnerabilities as automakers develop and update vehicle firmware. The functionality helps manufacturers harden vehicle code so it can’t be maliciously altered during over-the-air updates.
“Automakers must be able to verify through encryption, digital signatures and other tools that data packets being sent to the car are legitimate. There are right and wrong ways of doing this,” he says. “Everyone needs to keep their eyes on the prize to keep vehicles as secure as they can.”
Steps Toward Greater Security
To strengthen security, experts say the auto industry must work collaboratively to create stronger and broader security protocols, similar to those used by computer networks. According to the Alliance for Automotive Innovation, the industry needs a “multi-stakeholder, public/private approach that outlines clear cybersecurity roles and responsibilities, to protect against cyber threats.”
Other industry professionals, like Resnik and Lorenz, seek increased government oversight and regulation. In Europe, UNECE, a standards organization within the United Nations, has started WP.29, a focus group-framework aimed at harmonizing vehicle laws.
Within the WP.29 working group, regulation is agreed upon and mandates that carmakers globally own and be liable for the security protocols and controls of the entire supply chain.
“This evolving regulation went into effect in 2022,” says Peter DeNagy, president of Seccara, a vehicle cybersecurity and insurance company focused on the intersection of cyber risk, mobile strategy, autonomy, and artificial intelligence.
“This mandates that OEMs are responsible and moreover liable for security controls,” DeNagy says. “It doesn’t matter if the system(s) in the vehicle uses your code or someone else’s. If something fails because of a cybersecurity breach, the OEM is at risk of losing its Type Approval, which means they cannot sell cars in certain countries. Additionally, damages through litigation have the real risk of feathering down to every layer of the automotive supply chain, putting all stakeholders in jeopardy.”
WP.29 has pushed some automakers to move their strategic software/firmware development and coding in-house. Stellantis, Ford, Volkswagen and others are moving toward that development mindset, according to DeNagy.
“These actions are just as much about business continuity and corporate survival as it is about the deep need to act upon a robust and defensible cybersecurity strategy,” he says. “Everyone looks at what Tesla is doing and how they rack up dollars with every software update. Companies now see they must actively control software development as a highly secure function to stay competitive.”
Automakers must be very careful when bringing in outside untrusted vendor software, DeNagy says. “They need to be laser-focused and attentive to the source code, the developer capabilities and staff, and of the output of the product, whether it’s hardware or software, control systems, infotainment systems or integration with mobile apps,” he says. “They need to know and vet who they are working with and what went into developing the product.”
Reznik and Dellfer work with OEMs in the initial stages of design and development to build cybersecurity into vehicles from the get-go, dubbed “security by design.” With every new development, they work with teams to develop a list of security requirements to keep vehicles secure.
Automation is also key, Reznik says. The scarcity of software engineers (there’s a shortage of more than 3 million engineers in the U.S.) means OEMs may struggle to keep pace with technology innovations, and automation is needed to speed the process.
Cybersecurity Risk Insurance
“Over the next 10 years, the threat of cybersecurity risks will also drive transformative changes in the automotive insurance industry,” according to DeNagy.
“Who will be responsible if a hacker’s actions damage your car or worse, cause you to lose control and make the vehicle get into an accident?’ he asks. “Dealers will need to provide customers opportunities to buy cyber-risk insurance, because every stakeholder involved in the selling of that car, from the car manufacturer to the parts manufacturer, to the dealer, will have culpability. On the side of good, there will also be a revenue-and-margin opportunity associated for the sellers.”
Automotive cyber insurance answers the question of, “Who will pay for this?” If a vehicle ECU gets hacked, and there’s a problem, cyber insurance will cover the damages. Dellfer, for one, has partnered and integrated with Seccara to monitor sensors projected to be at risk, protect firmware, and monitor for OTA changes.
“Automotive cyber insurance will be a product offered to be sold by the dealers with the vehicle and/or an offering that is something you pay for later as an aftermarket add-on,” DeNagy says. “To participate, dealers will need to be compliant, parts OEMs will need to be compliant, and manufacturers will also need to be compliant.”
Vehicle cybersecurity risks will grow as vehicles become more high-tech and increasingly reliant on software and firmware to operate. As the global industry is noting the risks, they’re working on standards, regulations, automation and insurance tools to protect all involved from hackers intent on doing harm.
Ronnie Wendt is an editor at F&I and Showroom.