In the 2000 Hollywood action heist film Gone in 60 Seconds, a character called Toby, played by actor William Lee Scott, hacks into the state department of motor vehicles database to find the cars the protagonist Randall Memphis Raines (Nicolas Cage) plans to steal. He is helped by another character who can hack into insurance files and change the vehicle identification number (VIN).
In After the Sunset (2004), master thief Max Burdett (Pierce Brosnan) hacks into Chevrolet Suburban’s OnStar in-car communication system to take remote control of the vehicle. In the Fast and the Furious film series, there are numerous instances of similar hackings.
While these are examples from the fictional world, it appears in the real world too, sooner rather than later, there is an increasing risk of cars being hacked. Last month, the US Federal Bureau of Investigation (FBI) and US National Highway Traffic Safety Administration (NHTSA) released a bulletin which noted that “cars may be increasingly vulnerable to hacking.”
“The FBI and NHTSA are warning the general public and manufacturers—of vehicles, vehicle components and aftermarket devices—to maintain awareness of potential issues and cyber-security threats related to connected vehicle technologies in modern vehicles… the rise of ‘smart’ cars has made it easier for hackers to infiltrate their computer systems,” the agencies wrote in the bulletin.
In fact, the risk is so real that people who suspect their car has been hacked were told to get in touch with the FBI. The agencies noted that risks come with the increasing number of computers in vehicles—in the form of electronic control units (ECUs) that control a wide array of functions, from steering, braking, acceleration, lights and windshield wipers.
Last year, Chrysler issued a formal recall of 1.4 million vehicles that may be affected by a hackable software vulnerability in the company’s Uconnect dashboard computers. Again last year, two researchers found that they could plug their laptop into a network cable behind the Tesla Model S’s driver-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’s network while they had physical access, then later remotely cut its engine while someone else was driving.
There haven’t been any recorded incidents of a hacker taking control of a moving vehicle—there is no way to drive, steer or apply brakes of a car using a remote control unless there are previously installed mechanical devices that can operate those controls. Yet the risk is real because, apparently, there is no mechanism that limits how car systems interact with wireless communications.
Self-driving cars—like the ones Google is working upon—have another issue to deal with. They can be stopped suddenly with a laser pointer! How? Such cars use a technology called LIDAR (Light Detection And Ranging), which is installed on top of the vehicle and constantly maps the surroundings. A computer then creates images based on the data collected. A laser pointer—one which can create fake images of cyclists, pedestrians or other obstacles—can easily confuse the LIDAR, which can then stop the car. This was published in a paper by Jonathan Petit, a fellow of University of Cork’s Computer Security Group. Clearly, while autonomous cars could cut the road death risk, but without better security, there could be new kinds of risks—car hacking, ransom demands.
However, in the Indian context, there are some years to go until we start facing such risks. Abdul Majeed, partner, Price Waterhouse, and an auto expert, says that, in India, there is no vehicle-to-vehicle or vehicle-to-infrastructure communication. However, he adds that very soon we will have to start thinking about meeting challenges such as car hacking.
“Cars in India are designed for mobility, not for connectivity. But last week we saw that Indians are showing interest in Tesla Model 3. That car will come with a lot of connectivity features. If we don’t start thinking today, the car hacking risk can hit us in the face,” he adds.
In India, currently, it’s only the Ford cars—those which are fitted with the company’s SYNC feature —that can talk to the infrastructure. In the unfortunate event of an accident, the SYNC automatically makes a call to an emergency number for support. “At this point of time, the SYNC is not vulnerable to hacking because the guy who wants to hack, wants to get benefit out of it,” Majeed adds.
An analogy can be drawn with the smartphone industry. When smartphones first arrived during the last decade, people primarily used these for making and receiving calls. Nobody installed antivirus protection. Today, voice calls are just one function of a smartphone, and an antivirus is a necessity.
Similarly, as vehicles start getting designed in India not only for mobility, but also for connectivity, Indian automotive OEMs— apart from thinking about efficiency, emissions and safety—would also have to start thinking about cyber-security.