Autonomous cars may not quite be on the market yet, but they’re certainly growing ever closer. The newest step towards this brave new world for passengers was unveiled recently, with Ford announcing that drivers of some of their newest cars will no longer need keys to open or start their vehicle. Instead they’ll be able to ask Amazon’s Echo and Alexa to do the job for them.
The functionality comes as a free upgrade to Fusion Electric, Fusion Energi and C-MAX Energi, and other models throughout the year. One suggested use for this was the ability to lend someone your car, being able to unlock and start it for them remotely without needing to be there yourself. Not something that the general public have been particularly vocal about wanting.
The more sensible application is that increasing voice commands can make it easier for drivers to keep their hands on the wheel and their eyes on the road. As Don Butler, executive director of Ford Connected Vehicle and Services, explained, "We don't want consumers picking up their smartphone and texting inside the vehicles… We [also] don't want them picking their smartphone up and ordering from a restaurant. If we can do it by voice, we think it's better, safer and simpler."
That safety concern makes perfect sense, and is a logical progression. However, it could exacerbate some existing risks. As Kevin Tighe, a senior systems engineer at the security testing firm Bugcrowd says, “Car companies are finally realising that what they sell is just a big computer you sit in.” But how secure are these computers? If a normal, static desktop can be hacked, why not far more complex car? According to the product–line director of Bentley’s new Bentayga, which requires more than a million lines of code, refining and debugging software could be the biggest task facing modern car manufacturers. Add to this the fact that wireless enabled cars are effectively a moving hotspot, taking any unsecured wifi spill with them wherever they go.
This kind of network vulnerability isn’t new. Back in 2015, the Jeep Hackers, Charlie Miller and Chris Valasek, revealed how they could hack Chrysler’s 2014 Jeep Cherokee, using wireless access to remotely kill the engine, or even disable the brakes at low speeds. In 2016 they followed this up with the revelation that they could now pull stunts like turning the wheel 180 degrees, or accelerating the car. Even in their test video, in which the driver knew what was coming, the effect is dramatic – on real roads, the potential to cause fatalities is undeniable.
To be clear, this was done with a laptop linked directly to the car, because Miller and Valasek had already alerted Chrysler to the wireless vulnerability and helped them patch it a year before. But normal hackers wouldn’t have; they’d be more likely to keep quiet until they could take full advantage. Worryingly, who’s to say there isn’t the equivalent already being developed on various models right now? According to researcher Karl Koscher, who back in 2010 found one of the first car-hacking techniques for GM’s Onstar, “There will almost certainly continue to be remote vulnerabilities in the future.” He says Miller and Valasek’s revelations show that if you can get on the right Controller Area Network to access the communications between components inside a vehicle “you can use these techniques to take pretty dramatic control of the car.”
Chrysler did respond, launching their first “bug bounty” program, which offered up to $2,500 to hackers who reported flaws to the company. Though it’s possible this may have had a positive effect, it fell to Uber Technologies to show how it should be done by promptly hiring both Miller and Valasek, and installing them on their Advanced Technology Center.
It would seem the US government is also taking the threat seriously, with a bipartisan group of legislators recently proposing the Security and Privacy in Your Car Study Act of 2017 or SPY Car Study Act. The bill calls on industry professionals and federal regulating agencies to research into cybersecurity in cars, and come up with appropriate standards for new vehicles.
The lesson to the Ford/Amazon project, and others like it, is clear. The risks exist, and the threats will continue to grow, and they may soon be legally required to conform to standards. The only way forward will be to partner with the specialists in cyber-security, whether that be through extensive vulnerability testing, or ensuring networks and communications are protected. This is simply too important to leave to half-hearted initiatives. Responsible driving saves lives – but it’s the manufacturers’ responsibility to make sure the person in control is in the car, not elsewhere in front of a screen.
Harvey Boulter, Chairman, Communication Security Group