Consumer Watchdog, a non-profit organization, stated that all advanced cars with Internet connections to their safety-critical systems are apparently vulnerable to fleet-wide hacks.
The report, Kill Switch: Why Connected Cars Can Be Killing Machines And How To Turn Them Off, revealed that automakers have disclosed the high risk of such hacks to their investors, but are keeping the public in the dark as they market new features based on Internet connections. For example, Ford disclosed to the Securities Exchange Commission in its 10K filing that the company and its suppliers have been the subject of a malicious hack, but the public is unaware of the exact details.
Researchers stated that most connected vehicles share a similar vulnerability. According to the report, the infotainment system is connected to the Internet through a cellular connection, and also to the vehicle’s CAN (Controller Area Network) buses. This outdated 1980s era technology links the vehicle’s most critical systems, such as the engine and the brakes. Experts agree that connecting safety-critical components to the Internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the Internet.
The report revealed that every connected car comes with an Internet kill-switch that physically disconnects the Internet from safety-critical systems. It concludes that future designs should completely isolate safety-critical systems from infotainment systems connected to the Internet or other networks.
“Connecting safety-critical systems to the Internet is inherently dangerous design,” said Jamie Court President of Consumer Watchdog. “American car makers need to end the practice or Congress must step in to protect our transportation system and our national security.”
“Despite working on the problem for more than a decade, carmakers have proven incapable of creating Internet-connected vehicles that are immune to hacking, which is the only standard that can keep consumers safe,” the report concludes. “With connected cars rapidly overtaking the market, consumers will soon have no haven from the online connections that threaten them.”
A similar study by Ponemon stated that nearly 30 percent of companies in the automotive segment does not have a proper cybersecurity team to handle its technology and security infrastructure, let alone secure smart cars. The state is so dire that many do not even engage a third-party vendor to secure the software in the connected cars.
The study also pointed out that nearly 63 percent of all vehicle manufacturers do not even test half of their software, hardware and other technology deployed in their vehicles. The study sampled 15,900 IT security practitioners and engineers in the automotive industry.