Cars have huge attack surfaces. And getting bigger every year.
One source says the average car has 30-50 computers and luxury cars have a hundred (personally, I think that is low). Add to that 60 to 100 sensors. Some cars have a hundred million lines of code in them.
How do you make that 100 percent secure? That is a pretty daunting task.
But then you have another complexity.
I own two cars that were built in 2006. They were probably designed a few years before that.
Do you think any car maker is going to patch cars that are 15 to 20 years old?
This week a researcher revealed that Honda, in some of its “older” cars did not use encryption in it’s door unlock and remote start feature, so all a hacker had to do was be close enough to record the sequence and he or she could play it back at will. And yes, they used the same sequence every time for a car.
What was Honda’s response?
Those are old cars (they date back to 2015 and newer). We’re not going to fix it.
Who knows what it would even take to fix it. Nothing says that you can just load new software into those cars. There is probably hardware that would need to be replaced and new engineering.
Who is going to pay for that?
How do you even figure out who owns those cars now? There is no requirement to tell the manufacturer that you just bought a used car from someone.
Honda is not alone. Tesla had a similar problem last year. They had to download new software and then convince owners to buy new key fobs.
There was a 60 Minutes segment a couple of years ago where some researchers took over a Jeep, controlling the steering and brakes, while it was driving down the highway at 60 minutes an hour – from miles away.
In another attack, researchers were able to disable the charging function of the Combined Charging System due to security flaws by disrupting the communications between the charger and the vehicle.
This is only going to get worse before it gets better. It is very hard to build truly secure systems.
How do we pay for that and how do we retrofit hundreds of millions of old cars on the road.
One thing working in our favor –
Manufacturers are horrible about standardizing these things so even two cars from the same brand might have completely different innards. On the other hand, sometimes, two models from different brands – say Chevy and Cadillac – are actually the same car with different finishes. It is hard to tell what is different and what is the same, so hackers have to decide whether it is really worth the effort.
What works against us is that car makers buy a lot of stuff – think about how many car makers bought Taketa airbags. Remember the ones that were defective. So if you can sabotage the supply chain, well, that makes things easier.
That is not at all clear. Credit: Threatpost and CEI