Hackers like to say internet-connected cars are like smartphones on wheels. These days, some of them even update software “over the air,” like your phones do. But phones don’t weigh thousands of pounds or travel at potentially lethal speeds on the regular. By 2022, it’s estimated that two-thirds of all new cars will feature such connected systems.
Already, a cottage industry has sprung up to meet burgeoning demand for white hat hackers — game for a price — to help automakers identify vulnerabilities before black hats do.
“A very good defense is a good offense, right?” asked David Baker, chief security officer and VP of operations for Bugcrowd in San Francisco. Like the name suggests, Bugcrowd helps curate auto industry crowdsource solutions from a relatively small number of hackers who know how to help.
Automakers cover the cost of Bugcrowd’s listing management as well as the rewards for identifying bugs. Payouts range from $5,000 for identifying a relatively minor bug to many multiples of that for something critical.
It might give you some comfort to know Baker says car hacking is relatively complicated and expensive compared to other forms of hacking, because it involves access to and familiarity with car parts.
“That’s a little bit more of an attack surface than typically you would have just from electronic or wireless access. We have researchers that have the dashboard of a Tesla sitting in their living room,” he says.
But it doesn’t take a paranoid person to imagine it’s just a matter of time before cheat sheets are available for sale on the dark web.
At a press conference ahead of several major cybersecurity confabs this past summer, Jamie Court with the Los Angeles-based Consumer Watchdog warned, “Hackers tell us it’s just a matter of money. It could be hundreds of thousands of dollars. It could be millions. But you know what? A hostile government has that kind of money.”
In an effort to force a more public conversation about automotive cybersecurity, the non-profit released a report called “Kill Switch: Why Connected Cars Can Be Killing Machines and How to Turn Them Off.”
“Car companies are selling connected cars on the basis that you can turn your car on with your cellphone and get the air conditioning running on a hot day. Well, if you can turn your car on and get the air conditioning running with your smartphone, someone else can access your smartphone and shut your car down in the middle of the highway at rush hour,” Court said.
Nothing like that has happened (that we know of), but since Wired magazine first detailed a spine-tingling Jeep hack in 2015, killing the engine while the reporter was in the vehicle on a freeway, there has been a steady dribble of similar headlines showing the progress hackers are making.