Carmakers play catch-up on cyber security

WASHINGTON • When the history of the connected car is written, last week may go down as a pivotal moment for consumers worried about security.

The revelation by two technology researchers that they had hacked wirelessly into a Jeep Cherokee through its Internet-connected system - allowing them to take control of critical components like the engine, brakes and even steering under certain conditions - showed just how vulnerable the new breeds of connected vehicles can be, and the challenges that manufacturers face in defending against the types of attacks common in other technology fields.

"Customers are demanding new capabilities and more technology, so the risk is only going to increase for vehicles," said Mr Jon Allen, a Web security expert at Booz Allen Hamilton. Auto manufacturers, he said, know they need "to get ahead of this from a security perspective".

Such a Web-enabled threat is relatively new for the industry. Complex computer software has been used for years to power cars' performance, but those computerised brains were always walled off inside the cars themselves; they were not connected to the wider world.

For example, when the same researchers, Mr Charlie Miller and Mr Chris Valasek, hacked into a Ford Escape in 2013, they could do so only by plugging a cord directly into the vehicle. Now, the need for a cord is gone. About 27 million vehicles worldwide are now connected to the Internet, and that number is predicted to triple to more than 82 million by 2022, according to IHS Automotive.

"The reality is that this is something that needs to be on the forefront of the industry's radar," said analyst Akshay Anand at Kelley Blue Book. "It is not talked about as much as it should be."


Customers are demanding new capabilities and more technology, so the risk is only going to increase for vehicles.

MR JON ALLEN, a security specialist with Booz Allen Hamilton

The issue has drawn the attention of United States lawmakers. In February, Democratic Senator Edward Markey released a report that found only a handful of automakers had systems in place to even detect a hacking intrusion. Mr Markey, together with Senator Richard Blumenthal, also drafted legislation to establish federal Web security standards for vehicles.

General Motors said in a statement that it is taking "a multifaceted approach" and designing vehicle systems that can be "updated with enhanced security as these potential threats arise".

Volvo said its cars are "designed with several layers of protection in hardware and software" and "enhanced with encryption and security protocols that are unique to each individual car".

An Audi spokesman said the company intended to "constantly protect" its cars and customers against vulnerability risks.

Mr Anand said the future is likely to be one where constant vigilance is required. That could mean something akin to running antivirus software on computers - where intrusion threats are monitored in real time, both by consumers themselves and by automakers.

Senator Blumenthal said automakers have a responsibility to safeguard their vehicles. "It is as basic as selling a car without door locks," he said.


A version of this article appeared in the print edition of The Sunday Times on July 26, 2015, with the headline 'Carmakers play catch-up on cyber security'. Print Edition | Subscribe