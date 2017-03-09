(Repeats story first published on Wednesday)
By Alexandria Sage
SAN FRANCISCO, March 8 WikiLeaks documents
showing the U.S. Central Intelligence Agency considered a
"mission" against connected car technology underscores auto
industry concern that the science behind the next generation of
vehicles could be turned against them.
Cyber security is considered key to the rollout of
tomorrow's self-driving and today's connected cars, which
resemble computers on wheels with a host of communications
routes that hackers could target.
If consumers are to trust smart vehicles, they must deem
them safe from attack. Security experts cite the terrifying
hypothetical example of a remote attack on a fully autonomous
vehicle with no steering wheel or brakes, in which the passenger
would have no recourse to regain manual control of the car.
"You have a lot of car companies trying to design cars to be
better suited to automation, which means they're more attractive
to hackers," said auto consultant Roger Lanctot of Strategy
Analytics.
A major strategy for automakers is to reduce the number of
communications gateways to crucial systems and to require
services offered by third parties to go through a single secure
path.
WikiLeaks documents show the CIA citing "vehicle systems"
and a car operating system from QNX, owned by Blackberry Ltd
, as "potential mission areas" for the CIA's "Embedded
Devices Branch" to consider.
The QNX operating system, which is used by most global
automakers, provides a "a comprehensive, multi-level,
policy-driven security model ... to mitigate attacks," the
company said in a statement to Reuters. But given the collection
of software, hardware and network components that make up a
connected car, "security is only as strong as its weakest link,"
it said.
While the CIA's interest in cars brought widespread
attention, the industry has already received wakeup calls about
cars' potential to be hacked.
Researchers in 2015 used a wireless connection to turn off a
Jeep Cherokee's engine, prompting a recall of 1.4 million
vehicles by Fiat Chrysler Automobiles.
In September last year, Chinese cyber security researchers
hacked a Tesla Inc Model S sedan, remotely tapping the
brakes and popping the trunk. The electric carmaker subsequently
patched the bugs using an over-the-air fix. Tesla did not
respond to a request for comment on its cyber security protocol.
The hacking of the Jeep and the Tesla "brought it home to
the industry that even if its improbable it's technically
possible," said Mark Wakefield, global co-head of the automotive
practice at AlixPartners.
If a car was seen as vulnerable, it "could be a big brand
problem," Wakefield said. Hacks could also expose private
information shared between car and third parties - credit card
numbers, account numbers or passwords - to theft.
A January survey by the University of Michigan's
Transportation Research Institute found that 33 percent of
respondents said they were "extremely concerned" over hacking of
full self-driving cars to cause crashes.
CLOSING DOWN THE WAYS IN
The number of ways into cars has proliferated, from cell
phone signals to dongles. One such gateway is the standard
OBD-II port found under the steering wheel historically used for
onboard diagnostics. Today, hundreds of after-market devices use
the port, whether to monitor driving for insurance needs or
provide conveniences like safety alerts.
"The security of these devices is important, as it can
provide an attacker with a means of accessing vehicle systems
and driver data remotely," warned the FBI in a March 2016
bulletin on cyber security risks to motor vehicles.
Carmakers are also building walls between non-crucial
infotainment systems and driving controls so that any breach is
blocked before it could compromise key functions like brakes.
The first step the industry is tackling is intrusion
detection, said Lanctot. But what to do when a breach is
detected is complicated, because shutting off parts of a car
could be unsafe, he said.
Tesla was first to champion "over-the-air" technology in
which wireless software updates are sent remotely to cars.
Although some have argued such updates are a way in for hackers,
Tesla and others see them a key protection to upgrade security
and repair vulnerabilities quickly.
In January, U.S. lawmakers introduced a bill calling for
cyber security standards for new cars but so far U.S. regulators
have issued recommendations, not rules, on how carmakers should
shield their computer systems from hackers.
The industry is "years away" from solving the cyber security
problem, Lanctot said, noting that the first generation of cars
built after the Jeep hack that include some kind of detection
capabilities will not be seen until early in 2018.
(Reporting By Alexandria Sage; editing by Peter Henderson and
Bill Rigby)