Most cars on the road today have over 100 electrical control units (ECUs) and many retain connectivity through Bluetooth, cellular, Wi-Fi, and remote keyless entry. This connectivity has the potential for vulnerabilities — and the risk only increases the more connected cars become.
A NewtonX survey of autonomous vehicle executives/senior engineers found that the number of connected car shipments will reach well over 60M by 2020 (up 15M from 2018). This, combined with the increased sophistication of hackers, will contribute to a $6B auto cybersecurity market. The industry is relatively new today, but is projected to grow enormously over the next ten years.
Hacking Cars is Much Easier Than Many Vehicle Software Providers Realize
In April 2019, a hacker by the pseudonym L&M broke into 27,000 GPS tracker app accounts. The access enabled them to monitor the locations of tens of thousands of vehicles, and turn the engines off of some of them while they were in motion. While the hacker was an ‘ethical hacker’ — meaning they had no intent of leveraging the access for malicious causes, but rather sought to expose the GPS trackers’ vulnerabilities — the incident demonstrated the extent to which many auto softwares can be manipulated. The hacker also scraped user data including real names, phone numbers, email addresses, and physical addresses.
This incident was not isolated. The number of cyber attacks on connected cars is growing: in 2018 over 70 attacks occurred, and already in 2019 70 more attacks have been reported. More than 25% of these attacks were conducted through cars’ cloud servers or mobile apps, and roughly a quarter of the attacks gave the attacker control of car systems.
The NewtonX survey revealed that a primary motivation for many hackers is the collection of personal data: names, emails, addresses, bank information, passwords, etc. There has yet to be an attack that intends to disrupt traffic or kill a driver/passenger, but the possibility is very much there. Indeed, in 2015 two researchers hacked a Jeep and forced the car to run itself into a ditch, resulting in the recall of 1.4M cars
Incidents such as this have contributed to growing investment in the auto cybersecurity market. For instance, GuardKnox, an Israeli startup, recently raised $21M in Series A funding to provide cybersecurity solutions to the auto industry, including fleet management systems. The company’s Secure Network Orchestrator (SNO) is an end-to-end solution that secures the car’s internetwork communications by using deterministic routing and contextual layers to reject data that appears fishy.
Other companies, such as Argus and Trillium likewise offer cybersecurity services to vehicle fleets and car manufacturers. Karamba Security offers a solution that simply ignores commands outside the scope of predefined functions to protect cars from hostile takeovers. IOActive, another auto cybersecurity firm, implements various levels of access controls in order to prevent a hacker who, for instance, gains access to a part of the car via Bluetooth to move onto controlling other systems or gaining control of the car.
With Little Regulation, Auto Cyber Security Will Be Customer-Driven
The US and EU have both published guidelines for the operation and protection of connected vehicles, but compliance with these guidelines is not mandatory. However, there are market developments (and, of course, liability concerns) that are pushing AV and connected car manufacturers to value cyber-security.
Software naturally lends itself to a longer relationship between vendor and customer. Where a traditional car from 20 years ago could continue running just fine long after the manufacturer has stopped supporting it, connected cars need ongoing support for their electronic systems in the case of bugs, updates, and vulnerabilities.
This shift in how vendors relate to their customers will increasingly make vehicle cybersecurity and post-sale support for cyber security a competitive differentiator. Even if regulation is late to the game, vehicle hacker protection will undergo meteoric growth as AV’s hit the streets.