Skip to main content

One expert conceded autonomous vehicles would be vulnerable to attack just as other Internet-based technologies are.

Getty Images/iStockphoto

Auto makers may have been jarred by suggestions the U.S. Central Intelligence Agency discussed hacking into a key system used on millions of vehicles.

It was a passing reference in a deluge of alleged CIA documents dumped recently by WikiLeaks – 2014 notes from a meeting of the agency's Embedded Devices Branch looked at "potential mission areas," including cracking BlackBerry QNX software, which manages vehicle infotainment systems.

The operating system is a kind of traffic cop that harmonizes disparate functions, such as mobile phones, Internet connectivity and navigation. It is found on more than 60 million vehicles across dozens of popular marques.

Story continues below advertisement

It's not clear what the CIA's objective might have been; perhaps gaining access would allow it to eavesdrop on calls from the vehicle and even monitor conversations in the cabin.

BlackBerry quickly issued a statement affirming the security of its software and related hardware, and its vigilance in monitoring for potential vulnerabilities. Its systems, starting with BlackBerry phones, have security designed in from the ground up.

"We are the gold standard in the industry for a well-proven reason," corporate communications director Sarah McKinney said in an e-mailed statement.

A post by chief operating officer Marty Beard on the Inside BlackBerry blog reiterated that assurance, adding the company was unaware of any hacks or exploits of its QNX system.

"Still, the news is a bit frightening, now that we are in the semi-autonomous driving age and evolving toward fully self-driving cars," Beard wrote. "The notion that some day a car could be hacked and used to carry out a nearly undetectable assassination doesn't seem all that far-fetched."

Any outside intrusion is a sore spot. A customer backlash forced General Motors Co. to rescind a planned change in the terms of service for its OnStar system that would have allowed the collection of data even after customers cancelled it.

But the idea of evil-doers hijacking the whole vehicle gives even experts the willies as we move toward autonomous vehicles (AVs). The precursor technology is already on board. Think of Tesla's auto-pilot system. Cadillac just announced it was making vehicle-to-vehicle information sharing standard on all new models.

Story continues below advertisement

Researchers succeeded in taking remote control of a Jeep in 2015, including steering, brakes and transmission.

Asked about the WikiLeaks document, Fiat Chrysler Automobiles (FCA) said via e-mail that the remote vulnerability turned up by the researchers "was effectively eliminated in all affected vehicles.

"FCA U.S. remains committed to working with the industry and its suppliers to continue developing best practices to minimize vehicle cybersecurity risks," the company said.

The automotive division of Harman, a U.S. electronics company, is working on a hacker intrusion-detection system as part of its overall security suite.

All AVs will require some form of network connectivity to work.

Google has designed its Waymo prototypes to operate primarily using its on-board sensors, but still with occasional contact with the cloud to get information such as traffic reports.

Story continues below advertisement

"Our cars communicate with the outside world only when they need to, so there isn't a continuous line that's able to be hacked, going into the car," Waymo chief executive officer John Krafcik told the Financial Times in January. "When we say that our cars are autonomous, it's not just that there's not a human driver, but also that there is not a continuous cloud connection to the car."

Other AVs rely on a combination of on-board sensors, vehicle-to-vehicle communication and network infrastructure.

A 2016 report on AV technology aimed at government policy makers touched on data security.

"Global technology company stakeholders and global auto industry association stakeholders told us that building robust security protocols across many different auto makers' vehicles and different communications platforms is likely to be very challenging technically," said the report by RAND Corp., a U.S. think tank.

One expert conceded AVs would be vulnerable to attack just as other Internet-based technologies are.

"The security requirements for AV communications may be a potential inhibitor to mass deployment," the report said.

The issue rated only a brief mention in the 185-page report because it seemed to be less of a problem when most of the research was done in 2013, lead author James Anderson said in an interview.

"People weren't as focused on it as they are today," said Anderson, director of Pittsburgh-based RAND Institute for Civil Justice.

A new report on liability implications of cybersecurity risks in automated and connected vehicles, expected out this summer, will delve deeper.

"The majority of visions of automation rely on some kind of external connectivity," Anderson said. "Along with that external connectivity comes the risk of hacking."

One potential safeguard is isolating infotainment systems from the computers that help drive the vehicle, he said. That would close at least one pathway to remote control. Another is to build in fail-safes so AVs will automatically pull over and stop in the event of a disruptive hack.

Overlooked vulnerabilities open the door to hackers taking over not just one car but perhaps hundreds, Anderson speculated.

"It's not hard to imagine very bad things happening," he said. "The actual risk of those very bad things happening, it's hard to gauge."

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

If your comment doesn't appear immediately it has been sent to a member of our moderation team for review

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.