The communication interface through which, for example, manufacturers and garages can digitally access cars to install updates for software and assistance systems or to read out the fault memory also represents a gateway for hackers and cyber criminals. Cyber attacks on vehicles could become much more important in the future. The danger of monetarily motivated attacks directed against manufacturers, fleet operators is still relatively low. The situation is different for politically, ideologically or emotionally motivated attacks. Karsten Crede from ERGO Mobility Solutions provides an overview.
Our cars have become smarter and smarter in recent years. Various digital applications not only make driving easier, they also make it safer, more entertaining and more individual. Garages and manufacturers can also access the vehicle “over the air”, install updates for software and assistance systems or even read out the error log.
To make all these new services possible, the vehicle needs one thing above all: a communication interface with the outside world. The problem, however, is that this “door” can also be used by those you don't want in your vehicle. In short, as the level of digitalisation has increased, the vehicle has also become a potential target for hackers and cybercriminals.
The fact that a vehicle is fundamentally hackable has been shown in several studies. The most prominent in the media was probably the hack by Charlie Miller and Chris Valasek in 2015. Together with journalist Andy Greenberg, they showed what is possible more than seven years ago. Without ever having been in the vehicle, they were able to take control of a Jeep Cherokee with which Greenberg was currently on the highway.
They had almost full access to the vehicle. Their options ranged from “little pranks” like manipulating the vehicle's screen and turning up the music volume to major and safety-related interventions like turning off the engine or taking over the steering system.
There were two reassuring things about this hack: first, Miller and Valasek meant no harm. The hack was designed as a scientific experiment. The manufacturer Fiat Chrysler Automobiles subsequently recalled about 1.4 million vehicles to close the corresponding security hole. The second piece of good news was that this attack was not feasible overnight. It took even two of the best IT experts on the planet several months to finally hack into the vehicle.
Nevertheless, cyber attacks on modern networked vehicles represent a real danger. Moreover, this danger must be assessed differently from classic cybercrime, which has always focused primarily on computers belonging to companies and private individuals. A virus or malware on a computer is a hassle and, in the worst case, causes financial damage. In a car, however, a cyber attack can also have fatal consequences if, for example, a hacker manipulates the brakes at high speeds.
When asking how likely such attacks are in reality, one must also look at the motivation of the hacker. If the attacker has monetary interests, it is – in addition to the classic theft – especially blackmail scenarios through which the hacker hopes to receive a payout. Such extortion can be directed against manufacturers, fleet operators or even private individuals. The ransomware attack, as known from the traditional computer world, in which all data is encrypted and only released after payment of a ransom, can be transferred to the car scenario. The only difference is that no data is encrypted here, but the vehicle is immobilised.
The user must then weigh up what is the lesser evil for him. Paying the ransom or “repairing” the vehicle on their own. The first insurers are starting to explicitly include cyber attacks in their policies. However, it is still difficult to quantify the risk precisely.
The estimated annual damage to German companies from cyber attacks was recently over 200 billion euros. The coming years will show how relevant the topic will become for motor insurance.
The danger of monetarily motivated attacks is still relatively low. Such attacks follow economic patterns and are only attractive if in the end the profits exceed the costs. In the vast majority of cases, however, the costs of such hacks – especially due to the immense time involved – are so high that hardly any attacker would achieve a positive balance, regardless of the scenario.
The situation is different with politically, ideologically or emotionally motivated attacks. Economic laws do not apply here. The spectrum of such attacks is broad. In 2010, a dismissed employee of a car dealership in Texas gained access to over 100 vehicles. He immobilised some of them, and made others honk their horns continuously and uncontrollably. But scenarios involving injuries and deaths are also conceivable.
The problem of cyber attacks on vehicles will become more important in the future. The automotive industry and the public sector have been working on the development of suitable defence measures for quite some time. In terms of regulation, for example, UNECE Regulation R155 (Cybersecurity Management System) and R156 (Software Update and Software Update Management System) have been in force since last summer. This means that manufacturers must prove that their systems are secure and that hackers cannot gain access.