As the idea of a mass-marketed driverless car nudges closer to reality, automakers are increasingly coming to terms with the need to address the threat that onboard technology could be targeted by hackers.
So far there has not been a catastrophic attack, but the growing array of potential connections for cars to the Internet — and at least one hacking-related recall — have pushed the industry toward taking action.
One company that sees a potentially lucrative new market is McLean, Va.-based Booz Allen Hamilton, whose employees have long teamed with the intelligence community on classified cybersecurity work.
The 103-year-old management and technology consulting firm has been tapped by an auto industry trade group to set up a system for companies to share potential vulnerabilities, an operation that is being run out of Booz Allen’s new innovation center in downtown Washington.
The effort is part of Booz Allen’s attempt to extend its expertise in government work to the commercial sector.
Booz Allen said that nearly all major car manufacturers are working with the Automotive Information Sharing and Analysis Center, known as Auto-ISAC. The chief challenge is reaching out to the vast network of suppliers that provide parts for what is coming to be called “the connected car” — components of the modern automobile that send and/or receive information over the Internet.
That list is surprisingly long.
Some bumpers and engine parts have sensors that communicate with other parts of the car or with other automobiles. Even tires have small pressure sensors, which security researchers have used to take control of other parts of the car. Taking inventory of all these possible access points and understanding their potential vulnerabilities is likely to become increasingly important.
“We know in cyber that any time these threat actors decide they can’t get into one window they go around the other side and get in the other window . . . what we call the soft underbelly,” said Faye Francy, the new director of Auto-ISAC.
Francy said the organization still has work to do to connect with the supplier community. It has only 18 suppliers feeding information into the system, a tiny corner of a highly fractured industry.
But progress is being made. Last month, seven more suppliers said they were joining the program: Bosch Mobility Solutions, Cooper Standard, Honeywell, Hyundai, Lear Corp., LG Electronics, NXP Semiconductors, and Japanese manufacturer Sumitomo Electric Industries.
All of them produce electronic parts. Bosch makes car systems that communicate electronically from one vehicle to the next, as well as vehicle safety systems. Cooper Standard makes fuel and brake lines, and Hyundai is working on self-driving car systems.
Companies say they are joining out of an abundance of caution.
“Nothing huge has happened yet, but the threat is only increasing,” said Craig Balis, chief technology officer of Honeywell Transportation Systems, which makes turbochargers and car performance materials. “If you can imagine being in your vehicle and you can’t control the steering or the brakes or the engine, the worst-case scenario is not really an acceptable one.”
Companies that join Auto-ISAC are given access to information about threats their peers are facing.
Some of that information comes from U.S. government agencies and is shared with automakers, said Jon Allen, a Booz Allen principal who managed Auto-ISAC until recently. WikiLeaks recently released documents it claimed suggest that CIA has looked into hacking cars, though The Washington Post could not verify the assertion and the spy agency declined to address it.
Far more data comes from a small-but-thriving industry of independent hackers known as “white hats” or “penetration testers,” who help companies find weaknesses before hackers do. Auto-ISAC’s administrators say the vulnerabilities they have seen have come mainly from such researchers.
“There hasn’t really been a big front-page malicious event in the automotive industry, but the industry has been probing itself, if you will,” Balis said.
Getting automakers to share their vulnerability information is no easy feat given the fierce competition among the companies. Manufacturers tend to be secretive when it comes to the latest details of next-generation products such as self-driving cars.
“We’re trying to create a culture of trust in a highly competitive industry,” Allen said.
That the organization has succeeded in the absence of a major hack, he said, is a mark of the industry being proactive.
Information-sharing efforts in other industries have tended to take hold after a costly hack shined a spotlight on the issue. The retail industry’s effort wasn’t established until after hacks at Home Depot and Target made headlines and embarrassed retailers. The Financial Services Information Sharing and Analysis Center, generally thought to be the most active among its peers, was established in 1999 after online identity theft first proliferated.
But the economics of the auto industry entail a different set of challenges. The time horizons associated with manufacturing mean fixes can be more difficult for a car company to implement than for, say, a bank. Specifications for cars are laid out years ahead of time and fixes can require massive recalls.
That’s what happened last year when Chrysler recalled 1.4 million vehicles after security researchers showed they could wirelessly take over a Jeep, suggesting the car-hacking threat is already becoming a thorn in the industry’s side.
As cars become more sophisticated, their connected technology will only get more complicated, some say, opening new vulnerabilities. Companies are starting to realize this.
“A lot of this really is herding cats, because everybody has different interests . . . but what’s amazing is they have all the cats in the same room,” said Paul Kurtz, a cybersecurity expert who served as director of counterterrorism for the George W. Bush administration’s National Security Council.