In April, fraudsters targeted the Car2Go app-based vehicle-sharing service in Chicago, taking more than 70 vehicles in just a few hours. The vehicles were subsequently recovered, and the theft proved to be a case of fraudulent activity rather than a hack. The incident highlighted the growing risk of attacks on connected cars, especially as the industry looks towards an automated future.
Share Now, a joint venture between carmakers BMW and Daimler which includes Car2Go, has since enhanced the verification process for new accounts created in North America.
The incident highlighted the damage potential of such a breach. While attacks on ordinary laptops can result in stolen data or can render a computer useless, a vehicle under the control of criminals could, in theory, be used to cause gridlock or even injury and death.
Upstream Security, which monitors cyber attacks on connected cars, lists more than 260 worldwide since 2010 and the number is growing.
In the year to date, 71 car cyber attacks have been recorded compared with 73 for the whole of 2018. In the past, cloning electronic keys has been the most common way of gaining access, but with cars becoming more and more connected, hackers have all sorts of other means at their disposal. Indeed, over a quarter of attacks exploit cars’ cloud servers or mobile apps.
In 2015 an article in Wired outlined how two researchers seized control of the wheels and pedals of a Jeep Cherokee, causing the vehicle to run itself into a grassy ditch. The incident led to a recall of 1.4m cars.
Karamba Security, an automotive cyber security company, is working with manufacturers to stop factory settings being altered in real time. The only changes allowed are from the system provider. The technology should be in cars within two years.
Much of the innovation in the sector is being driven by independent companies rather than regulators. The automotive industry lacks mandatory standards on cyber security but there are various governmental initiatives. In 2016, SAE International, a professional body for car and aerospace engineers, published guidelines for automotive cyber security to help with secure design and testing. It is trying to turn these into a global standard.
The UN Economic Commission for Europe (UNECE), a regional body set up to promote economic integration, currently has a task force working on recommendations for cyber security in the automotive industry. And the US and EU have published guidelines with the aim of influencing the way self-driving cars are developed, regulated, and policed. However, for the moment, compliance is voluntary.
Find out more from this Financial Times article.