Is cybercrime in the automotive sector a real risk? This issue raises concerns because we live in a world that at times resembles the well-known dystopian series Black Mirror. Technological advances have led to more connected cars, but precisely the fact that the headlights, the engine and even the tire pressure are connected makes it easier for the software that controls each application to provide an open door for hackers.
“Without a doubt, it is a real risk. With the increase in software complexity, the possibilities of attack by cybercriminals also increase,” says Eduardo Benito, an expert in embedded developments at ERNI Consulting Spain, who emphasizes that the misuse of technology makes it possible to steal a car in just a few minutes. In addition, Benito adds that the evolution of pure mechanics to the digital field has not foreseen, in many cases, “the effect of replacing one control with another.”
“And now we find ourselves dealing with the consequences,” he admits. They are lifelong dangers, yes. A threat that is somewhat familiar, because “weaknesses in terms of cybersecurity have existed in cars for a long time, but they required physical access to the vehicle, making it ineffective,” says Benito. However, with the advent of wireless communications, all this has changed, since it is easier to defeat the system, “and hence the increase in vulnerabilities and vehicle hacks.”
OK. But to what extent can a cybercriminal manage to start the car without a key, remotely, by manipulating the brakes and even the engine? It still sounds like an episode of Black Mirror, but beware: reality is stranger than fiction. “Unfortunately, various vulnerabilities have been found that allow certain car models to be unlocked and started depending on the year when the vehicle was made, the manufacturer and how many digital and mechanical features it has. The more complex the electronics, the greater the risk because their exposure is greater,” says David Soto, an expert in cybersecurity and IT at ERNI Consulting Spain.
In this regard, although the industry corrects errors and bugs through software updates, one must always stay alert. Of course, tampering with the brakes or the engine, the specialists agree, requires a more elaborate maneuver, since it is necessary to physically enter the car and install a chip to alter communications between the components.
The technologies to mitigate cybersecurity risks are increasing on a huge scale. The size of the business in the automotive field alone, they tell us at ERNI Consulting Spain, “is estimated at $3,100M in 2022 (close to €2,900M), estimated to grow to $16,000M (€14,500M) by the end of the decade.” In addition, they highlight, new vehicles in Europe must comply with the ISO/SAE 21434 directives and the UNECE-R155 resolution from 2024. In other words: do not panic. “This will force future designs to be secure-by-design, i.e., they take cybersecurity into account during all phases of system design. New encrypted communications protocols, such as Autosar SecOC, will limit the scope of cyberattacks.” In this way, the means of transport will not only be more connected, but also better protected. And the future of the sector and consumer confidence will depend on the speed and quality of the initiatives implemented.
As in so many scenarios in life, here prevention is key. When it comes to cybercrime, the expert Eduardo Benito mostly blames the original failures and inaccuracies “of the software design rather than user error. A few years ago cars could be opened with a coat hanger, and they could be hotwired, but now cybercriminals use a device connected to a headlight. Before, drivers were tricked into stopping on the shoulder by telling them they had a flat tire and, when they got out, their car was stolen, but now criminals use electronic devices to pretend the car has a flat tire and then they do the same thing.” In other words, the level of sophistication has changed, but the outcome is the same.
Here is a series of recommendations —proposed by ERNI Consulting Spain— to stop cybercrime on wheels:
Technology brings progress, of course. But it also brings new concerns. And what to do in the event of a cyber incident? The first thing to do is go to the police. “Regarding technology, as a general rule it always entails progress and, after some time the novelty reaches maturity and ceases to be a concern,” they tell us at ERNI Consulting Spain. Companies like ERNI work on prevention, developing apps and programs for the motor industry to provide safe solutions for their devices.
And there is no turning back from all this technological progress, which, if we behave with caution and professionalism, will make it difficult for a new and disturbing episode of Black Mirror to take place.
