A photo illustration of mock passengers as computers. Cars now carry electronics and thousands of lines of code.

Story highlights

A landmark study suggested cars could one day become the victim of cyber attacks

Cars already contain a huge amount of electronics controlled by thousands of lines of code

Mobile phones, internet access, bluetooth connections all open doors for hackers

Unlike a PC, a cyber attack on a car could result in the loss of life

Financial Times  — 

The dashboard clock starts to count down from 60 to zero and, unprompted, the car horn begins to honk. The driver looks on helplessly as cyber criminals mount a vehicle “self-destruct” attack, killing the engine and locking the passenger doors.

This is not a scene from a Hollywood movie but a scenario tested by researchers at the University of California San Diego and the University of Washington.

Their landmark study suggested cars could one day become the victim of cyber attacks that compromise electronic systems and endanger passenger safety.

Cars long ago ceased being purely mechanical machines and already contain a huge amount of electronics controlled by thousands of lines of software code which relay critical data over onboard computer networks.

As vehicles are integrated with mobile phones and gain internet access, bluetooth connections, infotainment services, diagnostics, telematics and downloadable apps, there is a risk they could suffer the same viruses and malicious cyber attacks that bedevil other IT systems. Unlike a PC, where the biggest risk lies in losing data, a cyber attack on a car could result in the loss of life.

Carmakers and suppliers say that this is currently a purely theoretical problem and there are no known cases of a cyber attack causing a car to crash.

Cars are also a less financially attractive target for cyber attackers than, say, a bank, and there are easier ways for criminals bent on sabotaging or damaging a vehicle than hacking into it.

Nevertheless, hackers are often not motivated by financial gain but wish simply to prove their ability to crack a system for the bragging rights.

Therefore as the industry moves towards a future of “autonomous” driving where vehicles are able to steer and brake by themselves, carmakers are also waking up to the potential risks of the “connected vehicle” and investing significant resources to prevent safety-critical systems from being compromised.

“We are very much aware that we have to build firewalls into systems. As vehicles gain WiFi hotspots . . . there are more and more intrusion possibilities,” says Hans Roth, director of technology marketing at Harman, the car audio and entertainment supplier. “We don’t want that kind of thing to happen that [the car] is being hacked.”

Indeed, safety is of paramount concern for the industry, not least because in the event that vulnerabilities or faults are discovered, vehicle recalls can be hugely expensive.

Dirk Hoheisel, board member responsible for automotive electronics and car multimedia at Bosch, the supplier, says: “Currently I don’t think we have an issue – because we have only internet connections to the infotainment system that displays information – it’s not really going deep in the architecture of the car . . . But in the next years we will have to discuss the issues that could come up.”

Carmakers and suppliers have identified a number of ways to protect vehicles from hackers. One is to keep safety-critical control units such as anti-lock brakes and engine controls on a separate network from those that relate to infotainment, for example.

Although these internal networks must sometimes communicate with one another – to display vehicle data on the head unit display, for example – they do so via a highly secure central gateway. Often these internal vehicle networks run different operating systems, which in turn provide a kind of natural firewall.

Second, carmakers are increasingly vigilant about the software and data they allow to enter the vehicle. For example, when a Mercedes-Benz driver requests data from the internet, this is processed via an external Daimler back end server. The data then move to the car via a secure virtual private network connection.

Many carmakers now offer customers downloadable apps such as via Toyota Motor’s Touch, Ford’s Sync and Chrysler’s Uconnect systems. However, these tend not to be fully open but rather offer a limited number of secure, approved apps.

Mr Hoheisel, at Bosch, says: “At the moment we don’t have open app stores in the car industry – these are really protected and shielded systems.”

A Ford spokesman says that “the safety, privacy and security of our customers is paramount” and therefore any software updates are “code-signed” and must be recognised as coming from Ford in order to update its Sync system.

Third, carmakers have begun probing their vehicles for cyber vulnerabilities and modelling potential attack scenarios to ensure the electronics architecture is secure. Last year Bosch acquired Escrypt, a specialist in embedded system security technologies for the automotive industry. “Together with Escrypt we can offer analytics to carmakers and tier one suppliers to improve their architectures,” says Mr Hoheisel.

Daimler has an in-house team that focuses exclusively on vehicle IT security and it also commissions external audits to test its vehicles for vulnerabilities.

“The car is becoming a connected device . . . so this [hacking] scenario exists and we recognise this and are very occupied with the subject of security,” says Ralf Lamberti, head of telematics at Daimler’s research department. “But we also have to recognise that those who style themselves as cyber criminals, or hackers, are also looking at it . . . which means that, sooner or later there could be this kind of [hacking] attempt.”