Meet one of the hackers engaged by Wired magazine to take control of a Jeep Cherokee, from the comfort of a living room. They could and video of the hack raises questions about the safety and security of smart cars.
Warnings about connected vehicle vulnerabilities have been a steady drumbeat for years. Now a consumer-advocacy group is putting it in starker terms, suggesting a mass cyberattack against such vehicles could lead to Sept. 11-level casualties.
California-based Consumer Watchdog has issued a 49-page report that paints the dire picture and urges automakers to install 50-centÂ “kill switches” to allow vehicles to be disconnected from the Internet. The reportÂ highlights numerous widely reported instances of remote vehicle hacking, such as a 2015 demonstrationÂ involvingÂ a Jeep Cherokee left crawling along a St. Louis-area freeway.
“Millions of cars on the internet running the same software means a single exploit can affect millions of vehicles simultaneously. A hacker with only modest resources could launch a massive attack against our automotive infrastructure, potentially causing thousands of fatalities and disrupting our most critical form of transportation,” the group warns.
The reportÂ highlights what it describes as the key security flaw in connected vehicles, noting that the potential vulnerability is growing because of the increasing number of such vehicles on the roads.
Keep an eye out: These 20 vehicles are the most stolen new cars in the U.S.
A big upgrade: Monster V8 engine to debut in Ford 2020 pickups in fall
“Experts agree that connecting safety-critical components to the internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicleâ€™s operations and take it over from across the internet,” the report said, noting thatÂ “by 2022, no less than two-thirds of new cars on American roads will have onlineÂ connections to the carsâ€™ safety-critical system, putting them at risk of deadly hacks.”
While noting that over-the-air updatesÂ â€”Â increasingly embraced by automakers â€” provide the ability to update software, potentially fixing bugs and making a systemÂ more secure, the feature could also open new vulnerabilities, the report said. SuchÂ over-the-air updates also provide a way to avoid notifying regulators of issues.Â
The reportÂ said various automakers â€” Tesla, Daimler, Ford, General Motors and BMW, for instanceÂ â€” have disclosed the cyber risks to their investors.
Representatives of the National Highway Traffic Safety Administration, the agency charged with regulating vehicle safety, did not respond to a request for comment.Â
Gloria Bergquist, a spokeswoman for the Alliance of Automobile Manufacturers, an industry trade group, suggested the report could be an attention-getting ploy, and she defended the industry’s cybersecurity efforts.Â
“It is not unusual to see groups seeking attention right before the August cybersecurity meetings in Vegas. But today, cybersecurity is a priority to every industry using computer systems, including automobiles. Automakers know their customers care about security, and automakers are taking many protective actions, including designing vehicles from the start with security features and adding cybersecurity measures to new and redesigned models,” Bergquist said, referencing an upcoming cybersecurity conference where vulnerabilities found in BMW models are scheduled to be discussed.
Bergquist highlighted various efforts to address the issues, including groups workingÂ to develop aÂ unified international standard for automotive cybersecurity. SheÂ also said consumers have responsibilities, too.Â
“Cybersecurity is everyoneâ€™s responsibility, and consumers â€”Â along with automakers and their suppliers â€” need to be vigilant. Consumers should exercise good cyber hygiene in all they do, including properly pairing a phone to a car, deleting phone data from rental cars (if paired), and being active in doing the maintenance and updates as requested for phones and vehicles,” Bergquist said.
Contact Eric D. Lawrence: firstname.lastname@example.org. Follow him on Twitter: @_ericdlawrence.