For years now, we've worked to position ourselves as leaders in the nascent field of automotive cybersecurity. Cars are becoming increasingly dependent on software, and it was only a matter of time until cybercriminals began to target automobile software.
It is now safe to say that we have reached that point. Recently, one or more criminals committed a string of hacking-based break-ins that targeted vehicles in the Montreal area, CBC News reported. These crimes suggest that automotive manufacturers likely need to take additional steps to better secure their systems and networks. Investing in the right software security tools may prove essential to such efforts.
Hacked cars in Montreal
CBC Montreal Investigates reported that it had discovered two local streets where multiple residents claimed to have been the victims of peculiar break-ins. In each case, valuables were taken from the vehicles, but there were no signs of forced entry.
"I had no windows broken, I had no windshield broken, there was no damage to the exterior of the car," said Derek Mestel, one of the victims, the source reported.
Sgt. Laurent Gingras of the Montreal police said he has heard reports of criminals using electronic devices to unlock and subsequently steal from others' cars. However, officials have yet to arrest anyone using this technology, CBC News reported.
The news source noted that one of its affiliates, CBC Manitoba, interviewed a Winnipeg car theft victim last year who was likely targeted by similar hacking tactics.
A growing trend
Unfortunately, these incidents are likely not isolated events. On the contrary, they are part of a growing trend of cybercrime directed toward automobiles.
Earlier this year, for example, industry experts Charlie Miller and Chris Valasek conducted a broad analysis of the cybersecurity capabilities of a diverse range of vehicles, presenting their findings at the Black Hat security conference in Las Vegas. As Wired reported, the study determined that Cadillac Escalades, Jeep Cherokees and Infiniti Q50s were particularly susceptible to cyberattacks.
These models were especially vulnerable for several reasons. Notably, they featured more potential access points for cybercriminals to target, such as Bluetooth systems, keyless entry systems, Wi-Fi and more. Additionally, the vehicles' network architecture was a factor, as the high degree of interconnectedness between these access points and more critical systems created more opportunities for hackers. Finally, "cyberphysical" features, including parking assistance and automated braking, further increased the cars' vulnerability.
"Companies should consider security before adding pieces onto an automobile." – Chris Valasek, automotive cybersecurity expert
"Our main takeaway is that companies should consider security before adding pieces onto an automobile, especially when those pieces have remote connectivity or cyberphysical attributes," said Valasek, Wired reported.
In light of this report, the Alliance of Automobile Manufacturers and the Association of Global Automakers joined together to create a consortium dedicated to warding off vehicular cyberattacks, The Daily reported.
The Daily also noted that in August, Tesla participated in the DefCon annual security conference, where the company allowed hackers to attempt to expose cybersecurity flaws in its Model-S.
"We're more of a software company than a car company," said Lance Merkin, a manager at Tesla's Seattle showroom, the source reported. "We respect technology, and a company that doesn't respect technology probably doesn't understand security."
Clearly, safeguarding vehicles against cybersecurity breaches is an issue that will become increasingly important in the coming years. To meet customer demand, automotive firms need to incorporate more computer systems and other technology into their offerings. It is crucial that this trend be accompanied by a equal commitment to cybersecurity. And as Valasek noted, this emphasis on cybersecurity needs to come first.
To this end, we see the biggest risk to automotive manufacturers is the lack of use of software security tools throughout their organizations. As we’ve seen in other industries, software developers need to have access to static analysis and other tools that can identify and remove potential vulnerabilities as early as possible, right as code is being written, before they cause serious problems for the manufacturer's customers.
• See how to protect your code from security threats by watching this webinar: How to reduce automotive software development risk
• Read this white paper outlining three steps you can take to identify and fix critical security errors in your code: Deliver safer and more secure automotive software