Imagine a scenario in which malicious hackers take control of entire fleets of cars and cause them to crash. It’s not science fiction anymore.
The good news is that such a Hollywood-style plot to target millions of internet-connected cars is highly unlikely, according to experts. The bad news is that more frequent, small-scale attacks on cars are increasingly likely as automobiles become yet another connected device in the internet of things.
“The bigger concern would not be one virus taking us all down, but a whole host of viruses and a whole host of malicious attacks, taking down a whole bunch of connected devices,” said Josipa Petrunic, chief executive officer of the Canadian Urban Transit Research & Innovation Consortium (CUTRIC). The organization brings together governments, academics, industry and transit agencies to collaborate on emerging low carbon, internet-connected, transportation technologies.
As more vehicles are able communicate with the internet – and eventually to each other, and to traffic lights and roads using high-speed 5G data – all of those points of communication could potentially be the site of a malicious attack, Petrunic said.
Linking cars to the internet opens them up to many of the same threats faced by computers and smartphones, such as data breaches, theft, identify theft, spyware, malicious apps, invasions of privacy, corporate sabotage or even terrorism, said software experts from the automotive division of BlackBerry Ltd. The Waterloo, Ont.-based company’s secure QNX automotive software platform is designed to protect vehicles against these and other cyberthreats. QNX software is found in more than 150 million vehicles on the road today.
“Taking an individual target off the road, that is a potential [scenario],” said Andrew McKim, principal software developer at BlackBerry Ltd. "Malicious actors will really maybe go after a particular vehicle, a particular person.”
Charles Eagan, chief technology officer at BlackBerry, said some organizations – he wouldn’t elaborate on which companies or governments – are already conducting vulnerability assessments on important persons’ vehicles, to make sure they are secure against cyberattacks.
“Today, if you read the news, you know cars are getting hacked, identities are getting taken,” Eagan said. The more connected to the rest of our digital lives cars become, the more valuable personal data they will carry, which makes them a more appealing target. In the future, as connected vehicle technology eventually enables self-driving cars, ensuring their cybersecurity will be critical.
As of this year, 93 per cent of new vehicles will offer some form of internet connectivity, according to a report from research firm IHS Markit. A recent estimate from market advisory firm ABI Research put the number of connected cars already on the road at about 100 million, with 10.5 million more being added in 2020.
The number of connected cars on the road varies, depending on how you define them. Generally, the term “connected vehicle” or “connected car” refers to passenger vehicles that have a built-in wireless data connection, but it can more broadly mean any vehicle that’s able to communicate remotely with the outside world through a cellular data network, Wi-Fi, Bluetooth, satellite or other wireless link.
When it comes to physical safety, Canada has strict regulations and testing in place to ensure the safety of drivers and passengers in the event of a car crash.
“Cars are very safe, and they’re very safe because there’s been regulations and care put into making them safe,” Eagan said. “We need to follow that same methodology to keep that safety as we connect them.”
There’s currently a push to create cybersecurity standards for internet-of-things devices, which would include cars, he explained, adding that there’s not a clear standard in place today.
A 2018 report by the Senate on the future of automated vehicles found that, “without strong safeguards in place, cyberterrorists could take control of Canadian cars from halfway across the world.” The report recommended that Transport Canada, “urgently develop vehicle safety guidelines for the design of automated and connected vehicles” and develop cybersecurity guidelines specifically for the transportation sector.
In response, Transport Canada is set to release guidelines for vehicle cybersecurity later this year, according to an agency spokesperson.
The Communications Security Establishment (CSE), the federal agency tasked with protecting Canada from cyberattacks, is already working with industry players and Transport Canada to identify, prevent and respond to cybersecurity challenges related to transportation, according to a spokesperson for the agency.
The CSE found that Canadians’ exposure to cyberthreats is growing, because of the rising number of internet-connected devices, including cars, according to the agency’s most recent national cyberthreat assessment. “Manufacturers have rushed to connect more types of devices to the internet, often prioritizing ease of use over security. We regularly observe cyberthreat actors exploiting security flaws in devices,” the report found.
Yet, many people don’t realize their cars may be vulnerable to cyberattacks, let alone know what a potential attack might look like.
Keep up with cybermaintenance
To mitigate cybersecurity risks in your car, many of the same best practices that apply to your smartphone apply here: Make sure the car’s software is always up to date, don’t install suspicious apps and don’t agree to share your personal information unless you absolutely have to.
In the case of safety defects caused by a vehicle’s digital systems, Transport Canada has the authority to investigate and mandate corrective action by the manufacturer. Vehicle owners can report suspected defects on Transport Canada’s website.
Drivers would also do well to read the privacy policies they agree to, often without thinking, when buying a new car or using a new car’s “infotainment” system – its navigation and entertainment services. These documents outline all the personal information cars can collect about you, and often explain how you can opt out of some (if not all) of that data collection.
Canadians often underestimate cybersecurity threats, since they don’t believe the consequences will affect their everyday lives, according to the 2018 Senate report. However, when it comes to connected and autonomous vehicles, the consequences could be deadly.
Modern cars are two tonnes of rolling computer, capable of travelling at tremendous speeds. These aren’t smart fridges or some internet-connected stereo speaker. Lives are on the line.
Despite the risks they pose, connected cars also have enormous potential to improve our daily lives. As Petrunic explained, a highly secure transportation network that connects vehicles, public transit systems and road infrastructure could move more people, faster, over greater distances, all while using less energy. If the cybersecurity risks are properly managed, such a utopian vision could become reality.
Stay on top of all our Drive stories. We have a Drive newsletter covering car reviews, innovative new cars and the ups and downs of everyday driving. Sign up for theweekly Drive newsletter, delivered to your inbox for free. Follow us on Instagram,@globedrive.
Imagine you're riding in an autonomous or semi-autonomous vehicle. Suddenly, your car seems to take on a mind of its own, turning off in the middle of a busy intersection. Now imagining that happening at every intersection in the country. In a world of vehicles that are connected to the Internet, what's stopping a computer virus from taking down our entire transportation network? Could a hacker take down every car on the road?
The Globe and Mail