Car hacking: how big is the threat to self-driving cars?

October 7, 2014, 3:01 PM UTC
GM Says Dealers Told to Stop Selling Some Chevrolet Cruzes
General Motors Co. 2014 Chevrolet Cruze vehicles sit on the lot at a dealership in Southfield, Michigan, U.S., on Friday, March 28, 2014. General Motors Co. said it has instructed dealers to stop selling some 2013 and 2014 Chevrolet Cruze compact cars with 1.4 liter engines while not saying why the halt was ordered. The Cruze isn't part of the recall of 1.6 million cars that GM has been dealing with in the past month after faulty ignition switches were linked to the deaths of 12 people. Photographer: Jeff Kowalsky/Bloomberg via Getty Images
Photo by Bloomberg—Getty Images

Data security is the name of the game across all business these days. From the iCloud hacking scandal to data breaches at Home Depot (HD) and Target (TGT), all sorts of corporations are looking to shore up cyber security and protect their customers — and to make sure they aren’t losing business to rivals better at protecting your address and credit card numbers.

For car companies, though, it’s not just about financial crime and fraud — hacking could result in real-world, real-time physical problems and injuries. This will especially be a problem as automated and semi-automated cars move into the mass marketplace, something that’s expected to happen over the next decade or so.

“I think it goes without saying that if you don’t get security right, automated cars don’t get off the ground,” said Woodrow Hartzog, a law professor at Samford University’s Cumberland School of Law and an affiliate scholar at Stanford Law School’s Center for The Internet and Society. “If we have a mistake with some kind of cybersecurity with a car, we have an immediate physical threat.”

And if you’re mind goes right to the worst, most sinister science-fiction scenario, you aren’t wrong — a cybersecurity breach for an automated car could actually take the form of some malicious party taking control of a vehicle and stopping the breaks, stalling in the middle of traffic or turning off the road.

So, there is definitely a threat. What, then, are car manufacturers doing to make sure their products remain safe?

General Motors (GM) made news last week when it announced the promotion of Jeffrey Massimilla to the newly created role of cybersecurity chief. He’ll be helping the car company — which is looking to overcome its recent history of recalls and deaths from bad mechanical safety practices — as it develops self-driving cars, expected to be rolled out in the next few years and possibly on the mass market by 2020.

It’s this growth of technology in cars that is concerning, said Col. Greg Conti, an associate professor of military security at West Point and a cybersecurity specialist.

“The larger the attack surface, the more likely you are to run into a problem,” he said.

It’s up to government regulators — likely to be the Federal Trade Commission — and the industry to work together to figure out how exactly automobile data security will work, Hartzog said. One problem he brought up is that manufacturers generally want a specific list of things that they need to do to be compliant, a practice that may work when guarding against mechanical malfunctions, but not for the living threat of hackers.

“That’s not exactly how data security works,” he said. “You can either have a checklist of things to do for good data security, or you can have good data security, but you can’t have both.”

Last summer, Charlie Miller of Twitter (TWTR) and Chris Valasek of IOActive published a paper detailing which cars were the “most hackable” and how cyber attacks on vehicles could come about. It denotes three distinct phases to how a cyber attack happens: First, hackers have to gain access to a car’s electronic control unit. Second, it must inject code into the unit. Finally, if the attacker desires, an action is taken that affects the car, such as stopping brakes or moving the steering wheel.

Valasek told Fortune that during tests he was able to move the steering wheel of cars by using the program designed for automatic parking — which could be done remotely if someone hacked into the car.

He does note that while these types of attacks are completely possible, they would have to be the result of a concerted and targeted attack, unlike attacks by computer hackers, who sow chaos by simply putting a link on Facebook or in a chain e-mail.

“Someone who does this is going to spend a lot of time, money and effort,” he said. “And have a very special skill set.”

For now, car manufacturers have to be looking at potential security issues, even if they don’t seem apparent to customers yet.

“I think that generally companies recognize that this is an issue,” Hartzog said. “I think we’re there. I think that we want to make sure that we move forward in an incremental way.”

Correction: An earlier version of this story said Valasek controlled a car’s steering remotely. He was actually plugged into the car at the time, but the hack could in theory be done remotely.