Autonomous vehicles and self-driving trucks could become the next favored weapons of terrorists if the automotive industry doesn’t take a more rigorous approach to cybersecurity, according to a Justice Department official.
Speaking about the potential to use robotic vehicles to carry out the type terrorist attack that killed 84 people in the French resort city of Nice this month, Assistant U.S. Attorney General John Carlin said, “We know people are experimenting with using autonomous automobiles, and it shouldn’t take much imagination to think that if there’s a self-driving truck they’ll do the same thing.”
That’s just one of the many worrisome scenarios outlined during a cybersecurity conference in Detroit on Friday. Hackers, including those working for terrorist groups and rogue nations such as North Korea, are shifting attention from computers and smartphones to motor vehicles — both cars and heavy truck — Carlin and other speakers warned at the Billington Global Automotive Cybersecurity Summit.
The transportation industry is on the “cusp” of a major crisis, Carlin said. “We can’t make the mistake of not designing in cybersecurity protection.”
Until recently, few in the transportation industry took cybersecurity seriously, according to experts addressing the conference. But a series of recent incidents has finally put the issue on the industry’s radar – most notably, when a pair of so-called white hat, hackers took control of a Jeep Cherokee last year and sent it driving into a ditch before they reported the vehicle’s vulnerabilities to the automaker.
What makes the issue so daunting is the broad array of hackers, said Josh Corman, founder of I Am the Cavalry, a grass-roots organization working on cybersecurity issues. These range from 15-year-olds who hack for fun after school to professional criminals who hope to access personal or corporate data as well as terrorists, state-sponsored hackers and hacker collectives motivated by political issues, he said.
Trucks provide some unique concerns, said Corman, who also is director of the Cyber Statecraft Initiative for the Atlantic Council, an international affairs think tank based in Washington, D.C.
“Since trucks tend to operate as part of fleets, the threats and harm could be magnified,” Corman told Trucks.com.
Although there’s the threat of using autonomous trucks in terrorist assaults, truckers could also find hackers attempting to divert trucks by reprogramming onboard navigation systems, Corman said. That could allow them to steal cargo or hold it for ransom.
So-called ransomware has become a big issue for computer users, both personal and corporate, with hackers shutting down machines until victims pay to regain access.
That’s a particularly worrisome issue when it comes to motor vehicles, said the Justice Department’s Carlin. Hackers could shut down a fleet of trucks, perhaps blocking highways or halting the delivery of perishable goods.
Such an attack, he said, “would be on the level of a broader threat to our infrastructure.” He compared it with the cyberattack that shut down part of the Ukrainian electric grid.
The problem is that today’s automobiles and trucks are “supercomputers on wheels,” said Mark Rosekind, the head of the National Highway Traffic Safety Administration. Onboard microprocessors operate everything from infotainment systems to engine and brake controls. This high-tech transformation is only going to continue as part of the push to develop autonomous vehicles, he said.
A decade ago, a relatively high-tech car might have used about 10 million lines of code. Now that’s up to 100 million on the average automobile — or at least three times more than in the most advanced jet in the U.S. military arsenal, the F-35, said Mary Barra, chief executive of General Motors Co. That figure is expected to increase exponentially by decade’s end, she said.
That much code offers numerous opportunities for hackers, experts stressed. And the situation is further complicated by the growing number of wireless access points in today’s vehicles. There are satellite radio links, onboard 4G LTE Wi-Fi hotspots and even remote tire-pressure monitoring systems. Many trucking fleets add their own remote vehicle tracking systems and controls.
Autos and trucks face the same threats, said Jeffrey Massimilla, GM’s chief of cybersecurity. That’s one of the reasons why the hacker threat has to be dealt with on an industrywide basis, said Massimilla, who led the creation of ISAC, the Information Sharing and Analysis Center, which is working cooperatively to address mobile cybersecurity.
For now, ISAC is focused on the automotive side of the transportation industry, but Massimilla said he “wouldn’t be surprised” if heavy-truck manufacturers seek to participate.
Even as car and truck manufacturers work together through groups like ISAC, they are setting up their own cybersecurity programs. Fiat Chrysler Automobiles this month announced a partnership with Bugcrowd, a San Francisco-based startup that uses a network of 32,000 white hat, or friendly, hackers to search for software vulnerabilities. They can earn as much as $1,500 in “bug bounties” for each issue they uncover for FCA.
“Only humans can find problems that humans have created,” said Marten Mickos, chief executive of HackerOne, another hacker crowdsource collective based in San Francisco.