It’s already happened.
A Chevy Impala’s brakes were disabled remotely on national TV; a Jeep Cherokee was driven into a ditch from 1,000 miles away via an Internet connection; encrypted signals from wireless car keys have been intercepted and replicated, rendering the devices virtually useless.
Cars are being hacked by independent researchers who have uncovered security flaws that the automakers themselves didn’t know existed. Fortunately, none of the known security breeches have been malicious, but the potential clearly exists.
“These early vulnerabilities are because the industry has given very little attention to cybersecurity,” says Dean Drako, founder of Drako Motors and the Barracuda Networks cybersecurity firm. “With the software content of cars increasing quickly, attention is needed to cybersecurity. Moving forward, it will be about managing the risk to an acceptable level.”
While many automobile manufacturers have taken reactive measures or apparently just ducked for cover, tech-savvy Tesla has gone a step beyond – offering a bounty, which it recently increased from $5,000 to $10,000, to hackers who help it identify and prevent future issues.
“Tesla’s Bug Bounty Program encourages the security community to participate in the process as we continue to develop further ways to harden our systems,” says Tesla spokeswoman Khobi Brooklyn. “The program is also a great way to connect with top talent within the community, as we are also interested in continuing to build our team.”
“White hat” hackers like Samy Kamkar, who developed a device that could illicitly unlock and start a car connected to GM’s OnStar network, welcome the opportunity to engage with automakers.
“I'm a big fan of the bounties companies are putting out,” Kamkar says. “It's a forward-thinking way of protecting their own products and customers while supporting researchers and hackers.
“Many of these products are going to get hacking attention whether there's a bounty in place or not, so a bounty at least allows easier communication with the researchers so that they can fix any problems faster, while other companies are behind times and don't even have an easy way for any researcher to get in touch regarding security issues.”
“This technique has been used by the IT industry for years,” Drako says. “Today, cybersecurity attacks are primarily targeted where there is financial gain, such as banking, retail and access to Social Security numbers for potential identity theft.”
Independent automotive industry analyst Daanesh Chanduwadia sees the development as “the latest in a series of sage announcements solidifying [Tesla] as different than other automakers.”
“For what, even after the increase in bounty, is a rather nominal amount, Tesla gets to put itself in the center of a trending conversation and concern and be seen once again as a leader, while other companies seem to be mutely and suspiciously avoiding eye contact, hoping things will blow over soon,” he says.
“The fact that some of the largest OEMs out there have similar security issues across the board points to a broader issue in the industry and the lack of general security on the technology front,” Kamkar says.
"I've found plenty of literature, demonstrations and technology that has exposed car hacking for years that the public is simply not aware of - hiding it doesn't make it better, it only allows criminals to abuse it for longer, while exposing it produces rapid solutions.”
GM doesn’t currently have a bounty program, but Kamkar’s OnStar hack underlines his point. After he publicized his exploit of the smartphone app that works with the system, the automaker developed a solution within two weeks, seeking his input. If he’d kept it to himself, or was unable to get any attention from the press that reported on it, GM may never have known of this specific security hole, and millions of its cars would still be vulnerable.
Or, it may have chosen to keep things under wraps and deal with it in a less urgent manner. That Chevy Impala security flaw, which was dramatically revealed on 60 Minutes in February, was first uncovered and reported on in an academic paper in 2010 by researchers who agreed to not disclose the name of the company they were working with, and it wasn’t until November 2014 that GM finally, and quietly, began fixing it.