In 2015, a devious pair of hackers, from the comfort of their living room, took control of a driver’s sport utility vehicle as he was cruising 70 mph along a St. Louis highway.
Without warning, the driver was hit by a blast of frigid air emitting from the dashboard vent. Hip-hop music began blaring from the vehicle’s sound system.
The driver hardly had time to react when, next, wiper fluid squirted onto the windshield and the wipers began swiping furiously. Then he lost control of the SUV’s steering and braking systems.
Not yet done toying with him, the hackers locked the SUV’s transmission, bringing the vehicle to a halt on the fast-moving highway. Just as the driver began pleading for relief, a large truck bore down on him from behind.
Luckily, no accident occurred. This hacking was actually a controlled experiment to reveal potential automotive cyber risks—and the driver was in on it. It wasn’t the first time hackers have been able to connect and take control of a vehicle to reveal such automotive vulnerabilities.
Two years ago, another team demonstrated their ability to tap into a vehicle’s controller area network, known technically as a “CAN bus,” which generally serves as a specialized internal communications system that connects components inside a vehicle. A year later, an automotive software company described how it had installed a Trojan horse on a particular usage-based insurance dongle, an aftermarket plug-in device. This company claimed the ability to wirelessly and remotely influence a vehicle’s mission-critical components, including the engine, brakes, and steering.
'A step up in sophisticated hacking'
The SUV breach is a step up in sophistication from these earlier hacking episodes and more disturbing by far, as it was done remotely without use of a plug-in dongle or other type of aftermarket device. Instead, the SUV hackers reportedly used sophisticated software that allowed them to send commands through the vehicle’s entertainment system from a laptop.
The very thought that one’s car can, potentially, be so easily hacked, leaving a driver with no control over the vehicle’s braking and steering systems while the car is in motion, is indeed a terrifying one. Can it really happen? While there are varying opinions as to the ease with which a vehicle’s control system may be hacked, the idea that something like this could potentially happen does raise several questions for usage-based insurance and telematics experts.
Some issues to consider include: How does the potential for vehicle hacking affect the insurance industry? Will the possibility of hacking affect the adoption of telematics by insurers? How will vehicle buyers react? Will hacking-related concerns potentially stifle the progress being made in connected-car technology?
To be realistic, the type of vehicle hijacking described by the SUV breach hackers is unlikely to occur. This is partly because vehicle connectivity is still too limited to accommodate hacking on the scale carried out by those hackers. The hacking incidents that have been reported to date often are the result of long-term research conducted by dedicated teams who have access to the specific vehicles that are hacked.
In the future, two perceived trends in the auto manufacturing industry will likely address the hacking threat before it has the potential to become a danger. In addition, reports indicate that manufacturers are already investing significant efforts to encrypt and secure vehicles to protect them from such hacking.
We’re seeing the rise of a network of security companies providing safeguards for original equipment manufacturers (OEMs), and this is likely to grow in the coming years. Also, the trend is moving away from aftermarket devices, such as plug-in dongles, which are potentially more vulnerable to hacking.
With the next generation of connected cars, OEMs will likely continue their efforts to introduce safer and more reliable vehicles. In addition, OEMs are likely to realize that the collection and usage of telematics data for insurance purposes also has a positive effect on vehicle security.
For more information, visit the Verisk Telematics Data Exchange™.
This article was produced by Verisk Telematics and first appeared as part four of a ten-part series of articles on PropertyCasualty360.com, which has permitted its reuse.