Last summer, Bryson Bort scared the bejesus out of many in the audience at the Center for Automotive Research’s Management Briefing Seminars in Traverse City, MI.
Bort, founder and CEO of Grimm, a cybersecurity consultancy, issued a stern warning that cars, like smartphones and many other electronic devices, are vulnerable to hacking and will become even more vulnerable as the industry advances into autonomous driving.
In a recent interview, he explains there are two main avenues to “hack” into a car. One is through direct access, having physical contact with the car, including at dealerships and service centers, and the other is remotely.
“Remote is the one which keeps people up at night because somebody is able through the Internet or 400 meters (437 yards) nearby on a radio frequency to manipulate the car,” he says.
A former military signals officer, Bort employs a team of 50 engineers at his Arlington, VA, headquarters. He disavows the notion of hackers taking control of a car’s drive systems for truly nefarious ends such as kidnapping or hijacking a Brinks truck, the stuff of spy thrillers, as too futuristic because of the cost-vs.-benefit calculation as opposed to technology capability.
“It’s a numbers game, because hacking a car is expensive,” he says. “The reason hacking works for financial scams is that it costs next to nothing to send out millions of emails with relative certainty that a target will click, even if by accident. With cars, the return is traditional theft, which is what we’ve seen publicly.”
Moreover, Bort raises questions about motive, a critical issue in any discussion about hacking.
“The only motive I see is that someone might want to cause damage and chaos. The other possible motive is to cause embarrassment. And right now, that can only be done on a targeted one-to-one basis.”
And therein lies part of the problem for wannabe hackers. “The average person who’s worked with computers and software has never worked with the particular protocols found in a car. They don’t have the experience to do this kind of research,” he says.
Bort predicts that will change in the future as the “surface area” – a cybersecurity term to denote all of the potential avenues for compromise including infrastructure – continues growing.
“As we move to Levels 4 and 5 of autonomy (fully autonomous driving) with cars talking to cars and cars talking to the infrastructure, we can’t even predict the size of the surface area, thus the exposure to unknown vulnerabilities; i.e., the unknown unknowns.”
At present, the number of access points is limited to the car’s mirrors, windows, door locks, tire pressure monitors and CAN information bus. The infotainment center connects the car to the Internet and Ethernet.
So what is the real security risk? Is it about personal information and identity theft, or something bigger?
“It’s both,” Bort says. “But there’s still not much personal information in a car. There’s mainly your cell phone contact list, which generally isn’t an automotive problem.
“But as we move increasingly to autonomous vehicles, there will be greater risk to manipulate data that the car receives to make split-second decisions about very fast, very heavy objects all moving in some sort of synchronized way to cause a negative result – specifically, a fatality or serious accident, something that impacts safety.”
Bort is unaware of any real-world incidents and assures that OEMs take the matter seriously. “They want to make sure they have a product that offers a level of assurance that it will do what it’s supposed to do without anybody affecting security.
“We drive 100 million miles between fatalities in the U.S. Increasing connectivity brings the enhancements that consumers crave and supports the eventual arrival of autonomous vehicles.
“This technology will also increase the safety of transportation, since computers will be safer than human drivers on average. But,” he warns, “this increased complexity comes with other risks that could upend that calculus.”