It’s a scenario out of a Stephen King novel: A driver cruising along a busy highway suddenly finds his car taken over by an outside force. First it’s just the radio, the wipers and the air conditioning behaving chaotically. Then — as an 18-wheeler bears down at high speed — the transmission shuts down.
All this actually happened to the Wired journalist Andy Greenberg recently when he agreed to let two hackers go to work on an Internet-connected Jeep he was driving.
The hackers, Charlie Miller and Chris Valasek, have been conducting government-funded research into the security of smart auto systems. They were able to take control of the Jeep from 10 miles away. Some 471,000 cars on the road are vulnerable to such attacks, they estimate. Their experiment should serve as a wake-up call to car manufacturers — and everyone else.
As you’ve no doubt noticed, more and more everyday objects are being rigged with sensors and connected to the Internet. By 2020, 50 billion such devices may be online. This phenomenon, known as the Internet of Things, promises all sorts of benefits to companies and consumers alike. But many of the manufacturers involved have little experience with digital security, and few customers know how to properly protect their cars (or toothbrushes) from malicious hacking.
As a result, commonplace items such as baby monitors, room locks and medical devices have already been hacked. Manufacturers should expect this to continue, and prepare for it to get worse before it gets better. That means making cybersecurity something more than an afterthought when designing new products. It also means being up front with consumers about exactly what those products are doing and sharing online.
As for carmakers, their vulnerabilities have been evident for years. Congress has badgered them on the topic repeatedly. Although they’re starting a group to pool cybersecurity data, called Auto-ISAC, there’s a lot more they could do.
For starters, they should boost investment in technology that can detect digital intrusions, and start automatically issuing security updates to their software. More important, they should ensure that critical controls, such as brakes and steering systems, are isolated from components that could be hacked.
They should also make wider use of outside security researchers — for example, by offering “bug bounties” to hackers who can identify vulnerabilities. A rating system that evaluates their progress, as a pending bill in Congress proposes, could help consumers determine which companies are taking cybersecurity seriously.
Carmakers have long competed on safety. They now need to broaden their definition of it to encompass the digital age.