The U.S. Federal Bureau of Investigation (FBI), in cooperation with the U.S. Department of Transportation, put out a written public service announcement (PSA) last week detailing the agency’s concerns regarding automotive cybersecurity and its recommendations for the driving and vehicle owning public. The PSA followed by four days the explosion of a Volkswagen Passat on Bismarkstrasse in Berlin, Germany, during the morning rush hour.
The explosion of the Passat which killed the driver, a suspected and previously convicted organized crime figure, was believed by investigators to be linked to organized crime, not terrorism. But given the recently expressed concerns regarding automobile cybersecurity, it was impossible to ignore the juxtaposition of the two events – the explosion and the PSA.
The impossibility of ignoring the connection between the two stories was made even more obvious by one of the recommendations in the FBI’s PSA:
“In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle.”
This very sound advice follows descriptions, in the FBI/DOT PSA, of the various ways cars can be hacked wirelessly or via devices plugged into the car including smartphones and OBDII devices, such as Progressive’s Snapshot usage-based insurance device. The message from the FBI and the DOT is clear, that cars are highly vulnerable to hacking and that consumers should ensure that their software is up to date and that any outstanding recalls have been corrected.
http://tinyurl.com/jnaer5b – “Motor Vehicles Increasingly Vulnerable to Remote Exploits”
The four key warnings from the FBI include the aforementioned one to take care to prevent unauthorized access to one’s car. The other three are:
[LIST=1]
Interpreted more directly, I’d say the FBI and DOT were more or less seeking to put the kibosh on the entire OBDII aftermarket business. The PSA warns against using such devices or at least raises questions regarding their reliability and safety. What is missing is any process for establishing that reliability – so the FBI and DOT, at least, are warning consumers very directly to stay away from these devices.
The problem is that there is nowhere to go to get a warranty on the safety of using an aftermarket device in a car. This is very bad news for insurers, such as Progressive, depending on these devices. Other than Progressive, most insurers around the world have been quickly moving away from the use of OBDII devices after recalls (ie. American Family device recalled) and hacks have exposed their weaknesses. The FBI and DOT are also no fans of connected smartphones in cars.
But the FBI and DOT seem to also be raising questions regarding car sharing. If you share your car or use a car sharing service, how can you be sure the vehicle is safe, secure and clean? The bottom line is that you can’t.
The FBI isn’t saying not to use ZipCar or Car2Go or any of a dozen other car sharing services, but the agency is raising questions regarding the potential downside to connected car technologies – even as it tips its hat in the PSA to the virtues of using car data to reduce fuel consumption, emissions and traffic congestion and anticipate vehicle failures. Having read the PSA, the average consumer is going to think twice before hopping in a shared car.
The real concern regarding connected cars is the enhanced ability of thieves to use connectivity technology to steal the car or the driver’s identity or to steal control of the car remotely. Unlike the car bombing in Berlin, no malicious hacker has yet used remote control of a car for malicious purposes with any serious consequences. Most hacks, to date, have been white hat exploits with the hackers sharing the details of their work with the effected car maker – with a few notable, though unpublicized and exceptional, attempts by black hat hackers to blackmail car companies.
What the past two years’ worth of hacks have demonstrated is that cars are highly vulnerable and can be penetrated by determined hackers. Some hacks, such as the Skoda Wi-Fi gateway hack and the recent Nissan Leaf hack, have revealed gaping security holes largely the fault of careless developers. Hopefully the auto industry has learned some basic lessons from these exploits.
Of greater concern are malicious hackers in the world that have discovered the vulnerabilities of cars and for whom a ransomware attack on a car might be an appealing opportunity. It is not too much to imagine hackers requiring payment from a car owner to restore control of their vehicle.
The more immediate concern remains vehicle theft, which is currently at historic lows. A recent conversation with a senior security executive at the U.K.’s Thatcham Research Centre revealed that over the past 20 years, the steady enhancement and implementation of Thatcham’s security standards have contributed to reducing vehicle theft by 90% – but it is far from zero. The U.S. has no equivalent of Thatcham.
Vehicle theft is down in the U.S. as well, but the emergence of vehicle connectivity and its ability to create new pathways into opening up and starting cars could alter that trajectory. It seems the PSA from the FBI and DOT is just one way that the National Highway Traffic Safety Administration is seeking to keep the pressure on auto makers to take on and mitigate the current cybersecurity challenges. Presumably, the industry has gotten the message.
Roger C. Lanctot is Associate Director in the Global Automotive Practice at Strategy Analytics. More details about Strategy Analytics can be found here: https://www.strategyanalytics.com/access-services/automotive#.VuGdXfkrKUk
Real men have fabs!