We normally associate cyber security with computers, but the addition of smart, connective technology to the vehicles we drive has opened up new vulnerabilities for hackers to exploit.
In its 2022 Global Automotive Cybersecurity Report, Upstream, a cybersecurity and data management platform, revealed that cyber attacks on cars have soared 225% in the last three years. They found that the most common automotive cyber attacks saw a data or privacy breach, followed by car theft or a break-in via the car’s wireless key fob mechanism.
Charles Griffiths, Head of Technology and Innovation at AAG explains this worrying trend, highlighting the measures manufacturers and governing bodies are taking to keep drivers and their cars safe.
What’s at risk?
It is predicted that all new cars sold in the UK will be connected to the internet by 2026, which exposes our vehicles to significant cyber threats. Without effective cyber security, everything from the infotainment system to the engine control unit is at risk.
The issue is that the move toward connected, autonomous vehicles is outpacing automotive cyber security measures and regulations. While it’s easy to think that the cyber security risk is limited to electric, semi-autonomous or self-driving cars, the threats encompass those with Internal Combustion Engines too.
Through the internet, hackers can exploit vulnerable systems remotely, stealing information without needing to be inside the car. Cyber security considerations are paramount to the success of the next generation of the cars we drive. Without it, the risks below are just some of those that drivers may face.
- Infotainment systems: Information that is shared between your phone and infotainment system can be intercepted by malicious actors (hackers), putting your personal data at risk.
- Remote key fob: Popular car models like the Volkswagen Golf and Ford Fiesta are equipped with keyless key fobs as an easy way of entering your car. However, hackers can clone your key signal, giving them easy access without needing to steal the keys.
- Engine control: Once carjackers have entered a car with a cloned key, they can hack the engine control unit to turn the engine on and drive away. For cars in motion, they can tamper with settings like the auto-brake or steering, potentially causing a serious accident.
In recent months, we have seen major car makers come under scrutiny for their cyber security:
- Honda acknowledged that hackers can remotely start the engine of some models and unlock doors by taking control of the car’s remote keyless entry system after the flaw was exposed by researchers. Affected models include the popular Civic Hatchback. The carmaker warns owners to protect their key fobs by keeping them in a Faraday Pouch and now offers a key reset if the owner suspects they may have been targeted.
- Tesla cars, specifically the Model 3 and Model Y, were shown to be vulnerable to a Bluetooth hack which can also be used to unlock other marques, revealed by NCC Group, a UK-based cybersecurity research firm. The NCC recommends that Tesla owners use the ‘PIN to drive’ feature as an additional layer of security.
What are manufacturers and governing bodies doing?
Research from MarketsandMarkets predicts that the cyber security market for cars will grow from $2bn (£1.59bn) last year, to $5.3bn (£4.23bn) by 2026.
The United Nations Economic Commission for Europe (UNEC) has taken the lead in unifying and complementing transport regulations, specifically for electronics, telematics and related cyber security.
In 2020, UNEC published regulations that require manufacturers to provide evidence of a certified Cyber Security Management System (CSMS) and to have a Software Update Management System (SUMS). Both are now necessary for a new car to be approved – without the certification, manufacturers will not be able to sell these vehicles.
Sarah Tooze, Consumer Editor at CarSite gives consumers some sensible advice: “Technology is progressing quickly, and we all need to be aware of what we can do to protect ourselves and our cars. Updating software when required is a must. Most car makers help in this area by offering over-the-air updates automatically to ensure their vehicles are safe and secure.
Car manufacturers and equipment suppliers are investing heavily in cyber security technologies and strategies, but there is still more work to be done. An effective measure that drivers can take is making sure that they delete any personal data that is stored in their car before they sell it. If you are concerned about cyber security for your car, talk to your car dealer or manufacturer about the latest mitigation strategies.”
What can drivers do to stay safe from cyber attacks?
- Securing your car’s systems: Make sure that your car’s systems are properly secured, with strong passwords.
- Keep your car’s software up to date: Install the latest software updates for your car’s systems immediately. These often contain security fixes.
- Be aware of cyber threats: Stay up to date on the latest cyber security threats and how to protect against them.
- Be careful when using third-party apps: It’s advisable that drivers only use the apps provided by the vehicle manufacturer.