An alarming report from the nonprofit group, Consumer Watchdog has found all the top 2020 cars that have Internet connections are also connected to critical systems that could leave drivers vulnerable to hacks as they're speeding down the highway.
Consumer Watchdog president Jamie Court warned of a potential for a 9/11-scale attack if hackers engaged in a fleet-wide hack during rush hour.
"Connecting safety-critical systems to the Internet is inherently dangerous design," said Court. "American car makers need to end the practice or Congress must step in to protect our transportation system and our national security."
The report, titled: "Kill Switch: Why Connected Cars Can Be Killing Machines And how To Turn Them Off" alleges automakers have failed to properly secure the software running on their vehicles and risk hackers gaining access to drivers' vehicles. The report was assembled by a group of 20 car industry engineers and whistleblowers who have remained anonymous out of fear of losing their jobs.
The vulnerabilities are similar across most vehicles. The head unit (known as the entertainment unit), is often connected to the internet through a cellular connection which is also connected to the vehicles' CAN (Controller Area Network). Gaining access to the head unit could allow hackers to control some of the vehicle's most critical systems such as the engine and the brakes. The group estimates that by 2022, no less than two-thirds of American cars on the road will be connected to the internet in some way. Viruses can also spread vehicle to vehicle and programmed to wake at a given time, which would result in a massive, coordinated attack.
"Recent reporting about United States efforts to counter Russian cyber-attacks with its own online infiltration indicate that we increasingly live in the era of cyber warfare. An attack targeting transportation infrastructure is a growing possibility. Most concerning is that automotive industry executives are aware of these risks, yet are proceeding nonetheless to deploy these technologies, putting corporate profits ahead of consumer safety and national security," the report warns.
"Despite working on the problem for more than a decade, carmakers have proven incapable of creating Internet-connected vehicles that are immune to hacking, which is the only standard that can keep consumers safe," the report concludes. "With connected cars rapidly overtaking the market, consumers will soon have no haven from the online connections that threaten them," it adds.
The group pointed to videos posted online of hackers controlling the brakes of a Tesla or remotely killing a Jeep while it was riding down a highway.
The report offered a number of solutions for the car industry and regulators to ensure the safety of automobiles on the road, including the simple installation of 50 cent "kill switches" in every vehicle that would allow drivers to cut the car's connection to the internet and other wide-area networks.
- Regulators should require automakers to publicly disclose the authorship, safety certifications, and testing methodology used for all safety and security critical software, allowing for analysis by independent regulatory and testing agencies.
- CEOs of auto manufacturers should sign personal statements and accept personal legal liability for the cyber-security status of their cars.
- The industry should agree to a general standard protocol that cars not be connected to wide-area networks until they can be proven immune to hackers.
- Each one of their cars at the earliest possible date will come with an Internet killswitch that physically disconnects the Internet from safety-critical systems.
- Future designs will completely isolate safety-critical systems from infotainment systems connected to the Internet or other networks because connecting safety critical systems to the Internet is inherently dangerous design.
"Giving insurance companies Internet access to how we brake, accelerate and where we go is not only privacy threat, but creates huge security risks by giving hackers more access to our vehicles," said Court. "Drivers shouldn't have to open themselves to a fleet wide hack as a condition of buying auto insurance. This report should open the eyes of elected officials like Commissioner Lara."