What increasingly worries scientists is that entertainment computers could be manipulated to tell the safety computers what to do.
“There clearly is a vulnerability,” said Adrian Lund, president of the Insurance Institute for Highway Safety, based in Arlington, Va. “All these electronics we’re bringing into cars seem to exacerbate that.”
A National Academy of Sciences panel, including Lund, elevated the concerns in a report Jan. 18 reviewing U.S. regulators’ work in finding the cause of unintended acceleration in Toyota Motor Corp. vehicles.
While safety and entertainment systems are intended to be separate, “it is not evident that this separation has been adequately designed for cybersecurity concerns,” the academy wrote. It agreed with U.S. regulators who said they found no evidence the Toyota incidents were caused by faulty electronics.
Automotive engineers at a conference in Washington last week said they aren’t immediately concerned that a hacker will take over a car and drive it off a bridge.
Instead, they said, they want to help automakers spot vulnerabilities while they’re hypothetical and ease fears of consumers who are already familiar with cyberattacks in other areas.
Car thieves could exploit security weaknesses to remotely open and start a car, or a spy could listen to conversations inside a car, Stefan Savage, a University of California-San Diego computer science professor, said in a telephone interview. He co-wrote a paper last year after discovering ways to hack into cars.
Any electronic system in a car is a potential target for hackers, said Andre Weimerskirch, chief executive officer of Escrypt, a closely held security company in Ann Arbor, Mich., with automotive clients.
While the risk is hypothetical so far, automakers and regulators need to address it now, he said.
“Once you have access through the infotainment system, the question is could a hacker get access to the safety-critical components,” Weimerskirch said.
He spoke recently in Washington at the annual conference of SAE International, a group of automotive engineers whose members are helping draft an industry standard for car electronics.
Savage and co-author Tadayoshi Kohno, from the University of Washington, found vulnerabilities in telematics systems, which make the connections between cars and mobile communications.
They also successfully inserted an infected CD into a car’s compact-disc player and directed it to control safety systems. They aren’t aware of any real-world examples of car hacking.
“The issue for the industry and for the government is that you’re one really bad situation away from it becoming a thing that people think about,” Savage said.
The U.S. National Highway Traffic Safety Administration, which regulates automotive safety, needs better expertise in vehicle electronics, the science panel’s report concluded after studying the agency’s response to the Toyota incidents.
“This technology is changing so fast that NHTSA needs to make sure they can keep up,” Lund said.
NHTSA is researching auto cybersecurity, Lynda Tran, an agency spokeswoman, said in an email.
“The agency recognizes there are potential vulnerabilities, especially those related to future connected vehicles, that need to be fully understood and addressed,” she said. “NHTSA has been conducting exploratory research and is now planning further efforts that would evaluate the vulnerabilities and possible counter-measures on an industrywide basis,” including more research and evaluation.
Both SAE and the United States Council for Automotive Research, whose members include General Motors, Ford and Chrysler, have groups working on engineering standards aimed at cybersecurity.
Unlike automotive standards that specify performance minimums, a security standard would have to specify what systems shouldn’t do, Savage said, such as not allowing a CD to send signals to the brakes. Improving electronic security in cars takes a combination of hardware, software and more personal expertise, he said.
The cost to automakers and their suppliers will depend on the model of car and level of desired protection, he said. It’s unlikely car companies will offer special security systems as an option because automakers wouldn’t want to imply that customers would need to buy something to protect their cars, Savage said.
“It sends the wrong message,” he said.