When the brake pedal doesn’t work: The failings of cybersecurity in the automotive industry


It’s a sunny, clear, big sky kind of day, the kind when you just go for a drive, which makes it the perfect day for what I have in front of me. A metallic red Tesla Model S is sitting on the street, and it’s mine to drive. With the performance, looks, and forward-thinking technology of the Tesla, it’s been difficult to keep supply up with demand. Sliding into the driver’s seat, I silently pull away from the curb and beeline for the highway to put the car through its paces. Once there, I decide not to use the innovative Autopilot feature; I’d rather stay in complete control. I pull into the left lane and cruise past slower drivers. The road ahead of me is clear. Then, a wall. The car spins to the left, and I’m looking at oncoming traffic right before I slam into the shoulder wall, deploying the airbag.

Not an accident, but the future of targeted attacks
What happened above was not a tire blowout; it was the left front brake. It wasn’t an accident but a malicious attack by a hacker. It was the exploitation of a security flaw exposed by Chinese researchers last month that Tesla had failed to prevent. The researchers were able to wirelessly activate the brakes on a Model S from as far as 12 miles away.¹ They never needed physical access to the car because the Model S is connected to the Internet in the same ways as your phone. Despite this similarity, automakers fail to approach the problem as the computer industry has. Automakers prefer to fix the problem after the fact rather than prevent it from ever happening.

The threat to automakers is even greater than that for the computer industry. The computer industry protects data from hackers. It stops unauthorized access to your finances, your pictures or your instant messages. The goal is to stop a user’s data from being stolen. These outcomes are serious harms, but the physical consequences of these hacks have been minor, if non-existent, till now.

The Tesla scenario, however, is a very different kind of threat. The concern is not that the browsing data from the car’s built-in Internet browser will be stolen but rather that the physical control of the car’s systems will be taken over. The description above shows how a hacker could take over the brakes of a car to cause an accident on an interstate. Hacking has evolved such that it is no longer just a breach of privacy crime but can also be one of physical violence.

Even more concerning, this is not the first time a car has become subject to a hacker’s control. In October 2014, two researchers successfully hacked into a Jeep Cherokee over the internet. Once they had breached the car’s cyber-security, they were able to control everything from the radio to the car’s accelerator, transmission and brakes individually. Eventually, they completely controlled all of the car’s systems. With control of every system, the researchers could effectively drive the car.²

Autonomous cars make this threat even more pressing. As car owners begin to drive less and become passengers to their vehicles, the way in which hackers can endanger the passengers and pedestrians is greater. Today, a driver can immediately determine if his or her car is hacked because the car will cease to respond to commands. In the autonomous case, however, there are few ways for the occupants of a car to become aware of a hack. A hacker could redirect where an autonomous car is going or jeopardize the passengers’ safety through dangerous driving behavior. Autonomous cars will, increasingly, be more reliant on software and Internet connections to drive than today’s connected vehicles.

Given that these vulnerabilities are repeatedly demonstrated, a response from the automotive industry is expected. The response by automakers, however, has ranged from denial of the problem to delayed reactionary responses. Automakers choose simply to issue software patches after the fact to prevent the problem again. This solution, responding through a patch, is retroactive in nature. Automakers only respond to a cyber-security threat after the harm has occurred. This is not enough; consumers expect safe products, and this means problems must not only be fixed but also prevented. Similarly, private citizens expect police to arrive when a crime has occurred as well as patrol and prevent crime before it ever happens.

Consumer concerns are still being noticed, but not by manufacturers
Despite automakers dragging their feet to deal with the cyber-security threat facing connected and autonomous cars, action has been taken to remedy the problem. Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) proposed legislation that seeks to create security standards for internet-connected automobiles. Entitled the Security and Privacy in Your Car Act (SPY Car Act), this proposed legislation would require manufacturers to include minimum security standards in their automobiles and test them for vulnerabilities.

The legislation, which is in committee at present, is flawed by vague definitional requirements, but it addresses many of the threats facing consumers in a proactive manner. The goal of the legislation is to impose requirements on manufacturers to bring the computer protections for automobiles in line with the protections of other computer-based industries. The concern is great enough to warrant government intervention because experts have estimated that automakers fail to address the problem, as they are “20 years behind software companies in understanding how to prevent cyberattacks.”³

The benefit of the SPY Car Act is the requirement for manufacturers to conduct penetration testing of their car’s computer systems. This technique, popular among software companies, requires attempts to hack into the security system installed in cars before it is implemented throughout the entire line. This allows manufacturers to find many of the flaws hackers would exploit by using the same methods hackers would use. Rather than creating a security system and hoping for the best, penetration testing allows a manufacturer to know that its software, and thus its cars, are secure and safe for consumers. Requiring penetration testing instead of setting minimum security standards reflects the methods used in the private sector and allows for automotive security to adapt more quickly than regulation would allow.

Although the SPY Car Act is far from perfect, it is a needed change to an industry that is ignoring the concerns of consumers. In proposing this legislation, members of the Senate demonstrated that they are concerned about consumer safety and intend to create a minimally intrusive framework to meet legitimate security concerns while allowing manufacturers to pursue new technologies that stand to bring great benefit to consumers. These technology benefits carry risk, but the SPY Car Act is a means to limit these risks and many of its problems can be corrected before the legislation is passed.

  1. Sean Gallgher, Researchers wirelessly hit the brakes in a Model S, Tesla patches quickly, ars technica, http://arstechnica.com/security/2016/09/tesla-patch-blocks-remote-attack-that-could-turn-on-brakes-from-miles-away/
  2. Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway – With me in it, Wired (July 21, 2015), https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
  3. Cheryl Balough & Richard Balough, Cyberterrorism on Wheels: Are Today’s Cars Vulnerable to Attack?, Bus. L. Today, Oct. 2013.