Smart Cars and Internet of Things Face Growing Cybersecurity Risks
Try to hack into a ’57 Chevy and you’ll be out of luck. They don’t even have USB ports.
But as modern cars are getting “smarter” and more connected, they’re becoming more vulnerable to cyber-attacks, experts said.
In a world where sex toys spy on people and homeowners get locked out of their apartments when their front door needs a firmware upgrade, it might be no surprise that the rush to “cloudify” industries has opened another front in the war on identity theft.
But driving is a high-stakes affair that involves tons of metal and combustible materials traveling at high speeds. And while most connected car security incidents involve the theft of personal information, experts say hackers can in some cases take actual control of a vehicle.
The issue loomed large in the mind of industry experts at this year’s World Intelligent Connected Automobile Conference, where there were calls for tighter regulations and protection against cyberattacks on internet-connected cars.
Tracking the growth of the connected vehicle industry, the number of cyberattacks against internet-enabled cars increased eightfold from 2016 to 2019, according to An Hui, deputy chief engineer of state-backed China Center for Information Industry Development. Four out of five attacks last year were done remotely.
Alarmingly, two-thirds of the domestic models An’s team tested this year had identity verification vulnerabilities through their speech recognition system that could allow hackers to steal personal information, as well as enter a factory mode that let them read and write system files, install applications and more.
Connected cars are subject to attacks via Wi-Fi, Bluetooth, installed software and other channels, An said.
Hackers can use these pathways to obtain control of vehicles, make them accelerate, prevent cars from powering down and drain their batteries, An said, though such attacks appear to be rare.
It’s not just domestic models that are at risk. The head of one of Tencent Holdings Ltd.’s in-house cybersecurity team claims they were able to interfere with a Tesla Inc.’s visual system to make it drive into oncoming traffic.
“Tesla's advanced assisted driving cedes a lot of control and decision-making to the autopilot system. If you can take over the autopilot system, it’s a much more serious problem than controlling the car through a network,” said Lü Yiping, director of Tencent’s Keen Security Lab.
The sensors used in connected vehicles, including lidar — the eyes that help monitor traffic conditions and keep a safe distance from other vehicles — are also vulnerable to cyberattack, said Shan Hongyin, CEO of cybersecurity firm Yinji Information Security Technology Co. Ltd.
Car manufacturers need to take the security of connected cars more seriously, Shan said, adding that very few vehicles were equipped with security chips. “It is necessary to do key security protection from the car side, as well as remotely. That means continuous monitoring and safety assessment, not just a firewall inside the car.”
A development blueprint for internet-enabled cars released at the Thursday conference predicts that vehicles with level two to level three automation will account for half of all new car sales by 2025, and 70% by 2030. Level two assists the driver with steering, acceleration and braking, while level three means vehicles can drive themselves under certain conditions, such as on highways.
The blueprint expects China to come up with a regulatory framework to oversee technology standards and product qualifications by 2025.
Also vulnerable to cyberattack is the industrial internet of things, a term for the growing number of industrial devices installed everywhere from manufacturing plants to cargo ships that use sensors to gather data from the world around them and shuttle it to and from wireless networks.
With more and more new technologies connected to each other, the risk of security issues will increase, said Huawei Technologies Co. Ltd. Chairman Hu Houkun said last week at an industry conference on 5G technology.
Qi Xiangdong, the head of cybersecurity firm Qi An Xin Group, said network security is the number one challenge to developing China’s industrial internet – and the Covid-19 pandemic has only exacerbated the issue.
“The epidemic has intensified the degree of openness of our networks, knocking down walls by removing tedious verification and security processes. When there was a wall, all we had to do was guard it. But now (with more people working remotely) there are vulnerabilities everywhere,” he said.
Qi said that while large companies tend to have a grasp on security issues, smaller firms with fewer resources were more vulnerable.
“Large companies are worried about production shutdowns and the associated economic losses. But they’re more worried that their product designs, intellectual property and production data will be stolen by competitors.”
Small and midsize manufacturing companies “lack capital, talent, and technology, meaning the security problems they face will be more severe,” he said.
Qi Xiangdong said that the new challenges brought by industrial internet security can be solved through dynamic threat response systems that actually learn from attacks to improve defenses.
He said small and midsize firms that do not have the resources to build such systems should entrust their construction and operation to professional security companies.
Contact reporters Anniek Bao (firstname.lastname@example.org) and Flynn Murphy (email@example.com) and editor Gavin Cross (firstname.lastname@example.org)
Download our app to receive breaking news alerts and read the news on the go.
- MOST POPULAR