Would Your Smart Car Brake for Hackers?

As major automakers continue to roll out cars with Wi-Fi features connecting the vehicles with smartphones and other devices, their innovations are likely to catch the eye of hackers as well as tech-hungry customers, opening up a new asphalt playing field in the arena of cybersecurity.

"My concern is where we are heading in the future. As we head toward more automated drive systems, then the possibilities for hacking open up even more," says Akshay Anand, an analyst with automotive research company Kelley Blue Book.

Security researchers Charlie Miller and Chris Valasek recently illustrated the threat of hackers accessing a smart car by remotely controlling a Jeep Cherokee driven by a reporter from Wired, who later documented the experience. Through a flaw they discovered, Miller and Valasek gained access to the vehicle's computer network through the wireless Uconnect system, which let them control the steering, brakes and transmission of the Jeep while the reporter was driving.

The security gap was a vulnerability in vehicles featuring Uconnect, including models built from 2013-2014 by Chrysler, Dodge, Jeep and Ram, along with the 2015 Chrysler 200. Fiat Chrysler Automobiles released a software patch to update the wireless computers on those vehicles after Miller and Valasek notified the company about the flaw.

But while the Jeep attack exemplifies a worst-case scenario – since Miller and Valasek are top hackers who had time to discover the flaw – the risks are very real. Automakers are testing driverless car features as the next stage of innovation for their industry, and Anand says such technology could help hackers remotely steal a car.

"A lot of this is hype, but people have to be aware that when you buy a new car that is connected, there could be security flaws," Anand says.

The danger to consumers stems in large part from the rapid increase of companies, including automakers, who are making connected devices without putting the same effort into cybersecurity protections for those devices. Some companies "are absolutely not doing it the right way," says Jim Hunter, chief scientist at Greenwave Systems, which provides software for connected devices to companies like Verizon and IBM.

Mistakes, though, can be the greatest teacher, as Hunter says he has learned from hackers like Miller and Valasek who expose flaws in software.

"The challenge is that there are some young companies that don't have that experience," Hunter says. "Larger consumer electronics companies have experienced those scars of mistakes with consumers. Companies put in requirements to make sure that if you are a firm that wants its device to be interoperable with a software ecosystem like a smartphone network, they will have to assure they have security safeguards."

In response to such concerns, Federal Trade Commission Chairwoman Edith Ramirez has been pushing for more privacy and cybersecurity standards in the growing Internet of Things ecosystem – a sector of devices connected to wireless signals that includes not only cars but blenders, watches, thermostats and refrigerators. That ecosystem is growing, as an estimated 4.9 billion connected things will be used in 2015, up 30 percent from 2014, according to market research firm Gartner.

A Senate bill introduced this week also aims to counter the risks of hackers in the growing field of connected cars by pushing for automakers to face more cybersecurity and privacy oversight, and calls for more information to be provided about the electronic privacy protections offered by various vehicle models and what kind of driving data may be collected and retained by computer systems. The Security and Privacy in Your Car Act – introduced by Democratic Sens. Ed Markey of Massachusetts and Richard Blumenthal of Connecticut – would direct the National Highway Traffic Safety Administration and Federal Trade Commission to establish related standards to accomplish those goals.

According to research published by Markey's office earlier this year, only two or three of 16 studied car companies appeared to be able to detect or respond to a hack, and customers often don't know information from their car is being collected and sent to third parties.

"Federal law must provide minimum standards and safeguards that keep hackers out of drivers' private data lanes," Blumenthal wrote in a press statement. "Security and safety need not be sacrificed for the convenience and promise of wireless progress."

Republicans like Sen. Kelly Ayotte of New Hampshire and FTC Commissioner Maureen Ohlhausen have pushed back against placing broad privacy and cybersecurity regulations on the tech sector, warning that it could slow the rollout of new products or even discourage innovation.

But Hunter predicts there will be a greater push for an "overarching privacy and cybersecurity policy" as more people recognize that the reach of hackers is expanding.

"It's going to take legislative measures in the U.S. and Europe to make companies better guardians of personal information and data, and increasingly guardians of your remote-control devices," Hunter says.