Skip to main content
security

One expert conceded autonomous vehicles would be vulnerable to attack just as other Internet-based technologies are.Getty Images/iStockphoto

Auto makers may have been jarred by suggestions the U.S. Central Intelligence Agency discussed hacking into a key system used on millions of vehicles.

It was a passing reference in a deluge of alleged CIA documents dumped recently by WikiLeaks – 2014 notes from a meeting of the agency's Embedded Devices Branch looked at "potential mission areas," including cracking BlackBerry QNX software, which manages vehicle infotainment systems.

The operating system is a kind of traffic cop that harmonizes disparate functions, such as mobile phones, Internet connectivity and navigation. It is found on more than 60 million vehicles across dozens of popular marques.

It's not clear what the CIA's objective might have been; perhaps gaining access would allow it to eavesdrop on calls from the vehicle and even monitor conversations in the cabin.

BlackBerry quickly issued a statement affirming the security of its software and related hardware, and its vigilance in monitoring for potential vulnerabilities. Its systems, starting with BlackBerry phones, have security designed in from the ground up.

"We are the gold standard in the industry for a well-proven reason," corporate communications director Sarah McKinney said in an e-mailed statement.

A post by chief operating officer Marty Beard on the Inside BlackBerry blog reiterated that assurance, adding the company was unaware of any hacks or exploits of its QNX system.

"Still, the news is a bit frightening, now that we are in the semi-autonomous driving age and evolving toward fully self-driving cars," Beard wrote. "The notion that some day a car could be hacked and used to carry out a nearly undetectable assassination doesn't seem all that far-fetched."

Any outside intrusion is a sore spot. A customer backlash forced General Motors Co. to rescind a planned change in the terms of service for its OnStar system that would have allowed the collection of data even after customers cancelled it.

But the idea of evil-doers hijacking the whole vehicle gives even experts the willies as we move toward autonomous vehicles (AVs). The precursor technology is already on board. Think of Tesla's auto-pilot system. Cadillac just announced it was making vehicle-to-vehicle information sharing standard on all new models.

Researchers succeeded in taking remote control of a Jeep in 2015, including steering, brakes and transmission.

Asked about the WikiLeaks document, Fiat Chrysler Automobiles (FCA) said via e-mail that the remote vulnerability turned up by the researchers "was effectively eliminated in all affected vehicles.

"FCA U.S. remains committed to working with the industry and its suppliers to continue developing best practices to minimize vehicle cybersecurity risks," the company said.

The automotive division of Harman, a U.S. electronics company, is working on a hacker intrusion-detection system as part of its overall security suite.

All AVs will require some form of network connectivity to work.

Google has designed its Waymo prototypes to operate primarily using its on-board sensors, but still with occasional contact with the cloud to get information such as traffic reports.

"Our cars communicate with the outside world only when they need to, so there isn't a continuous line that's able to be hacked, going into the car," Waymo chief executive officer John Krafcik told the Financial Times in January. "When we say that our cars are autonomous, it's not just that there's not a human driver, but also that there is not a continuous cloud connection to the car."

Other AVs rely on a combination of on-board sensors, vehicle-to-vehicle communication and network infrastructure.

A 2016 report on AV technology aimed at government policy makers touched on data security.

"Global technology company stakeholders and global auto industry association stakeholders told us that building robust security protocols across many different auto makers' vehicles and different communications platforms is likely to be very challenging technically," said the report by RAND Corp., a U.S. think tank.

One expert conceded AVs would be vulnerable to attack just as other Internet-based technologies are.

"The security requirements for AV communications may be a potential inhibitor to mass deployment," the report said.

The issue rated only a brief mention in the 185-page report because it seemed to be less of a problem when most of the research was done in 2013, lead author James Anderson said in an interview.

"People weren't as focused on it as they are today," said Anderson, director of Pittsburgh-based RAND Institute for Civil Justice.

A new report on liability implications of cybersecurity risks in automated and connected vehicles, expected out this summer, will delve deeper.

"The majority of visions of automation rely on some kind of external connectivity," Anderson said. "Along with that external connectivity comes the risk of hacking."

One potential safeguard is isolating infotainment systems from the computers that help drive the vehicle, he said. That would close at least one pathway to remote control. Another is to build in fail-safes so AVs will automatically pull over and stop in the event of a disruptive hack.

Overlooked vulnerabilities open the door to hackers taking over not just one car but perhaps hundreds, Anderson speculated.

"It's not hard to imagine very bad things happening," he said. "The actual risk of those very bad things happening, it's hard to gauge."

Interact with The Globe