What’s the most sophisticated piece of computer equipment you own?
If you said your laptop or your smartphone, you’re probably wrong. According to a report by McKinsey and company, “Today’s cars have up to 150 ECUs and about 100 million lines of code; by 2030, many observers expect them to have roughly 300 million lines of software code. To put this into perspective, a passenger aircraft has an estimated 15 million lines of code and a modern fighter jet about 25 million. A mass-market PC operating system close to 40 million.”
Where computers go, hackers follow. According to a New York Times story reporting on both laboratory hacking experiments and a few real-world incidents, “hackers seemingly can’t wait for the opportunity to commandeer vehicles.”
The story cites a test in which cybersecurity company Karamba exposed a simulated vehicle control unit on the internet to attract hackers. It was attacked 25,000 times in the first three days.
In 2015, a hacking experiment led to a Jeep recall of 1.4 million vehicles to fix a security flaw. That incident allowed hackers to shut a car down remotely. Then there’s a South African incident in which thieves robbed a freight company after gaining access to its tracking system. They hid the location of the company’s trucks from management.
Vulnerabilities grow
As cars get more sophisticated, potential vulnerabilities grow. Automakers now use over-the-air updates to improve a car’s performance with software patches they deliver remotely. The industry is also researching self-driving systems that someday may allow owners to leave the driving to the car. Yet those same enhancements could result in cars more capable of downloading malicious software. This could allow hackers to gain access to even the steering and acceleration of a vehicle.
Researchers caution, however, that these threats are largely theoretical. Hacking into a car is a very challenging endeavor, and the return on effort, in most cases, is quite low. The NYT article notes that “safety measures are being taken along every step of the manufacturing chain, from software to hardware design.”
The modular nature of much of car design can be either a vulnerability or a defense. It’s common where the engine control unit may come from one supplier, the infotainment system from another, and steering components from a third. This means that there isn’t a single point-of-entry that gives hackers access to control a car. Manufacturers now commonly build firewalls between systems. This is “to ensure that such elements as infotainment systems are prevented from passing code to systems that regulate speed, steering, and other critical functions.”
Governments are also beginning to legislate vehicle cybersecurity standards. A regulation requiring automakers to report any detected hacking and certify cybersecurity readiness takes effect in Japan and South Korea next year and in Europe in 2024.
While the U.S. isn’t a participant in that effort, most cars are now global products. Even vehicles on the market in America adhere to the strictest standards anywhere.
