- more and more cars are becoming connected, but fears about hackers getting into your vehicle have been around for a decade, at least.
- nhtsa's nonbinding best practices guidance, currently being updated, says automakers should use a "layered approach to vehicle cybersecurity," one that understands that some vehicle systems might get hacked but that will keep the hack from causing too much damage.
- the un has regulations concerning vehicle cybersecurity that will go into effect in japan and south korea in 2022 and in europe in july 2024.
with greater connection comes greater vulnerability, and hacking a connected vehicle has long been a source of concern. in 2011, we wondered "can your car be hacked?" and in 2017, we were asking "can a connected car ever be safe from hacking?" now, in 2021, the answer seems to be that maybe connected cars will always have at least some theoretical opening, but that doesn't mean automakers aren't trying and trying and trying to secure your car.
a march 18 story in the new york times confirms just how tempting connected vehicles can be to hackers. a cybersecurity company called karamba security connected a vehicle electronic control unit (ecu) online and found that hackers made more than 25,000 breach attempts in three days. only one succeeded, but what the hackers didn't know was that this ecu wasn't real; it was a trap to see who would try to hack in.
while hackers see value in trying to get into connected vehicles, having someone worm their way into your car is not exactly top of mind for people thinking about autonomous and connected vehicles. in 2019, pc magazine conducted a poll of over 2000 people that found safety concerns and technology failures were the biggest fear when it comes to autonomous vehicles for 45 percent of respondents. only 15 percent said hacking threats were their top fear.
still, the auto industry and government regulators are constantly working to keep out the people who shouldn't be sneaking their way into connected cars. in january, the national highway traffic safety administration (nhtsa) asked for public comment on an update to a 2016 best practices document regarding nhtsa's nonbinding guidance to the automotive industry to make vehicles safer from cybersecurity threats. while nhtsa isn't forcing any automaker or supplier to take any specific steps, it does say that "a layered approach to vehicle cybersecurity, an approach that assumes some vehicle systems could be compromised, reduces the probability of an attack's success and mitigates the ramifications of unauthorized vehicle system access."
the united nations has passed regulations about vehicle cybersecurity with more teeth, rules that force auto manufacturers to assess risk and report intrusion attempts in order to certify that their connected components are secure. the times notes that this regulation will go into force in 54 countries, including in japan and south korea in 2022 and in europe in july 2024. given the global nature of the auto industry, though, the fact that the u.s. is not among the signatories for these rules isn't going to mean vehicles sold here won't have the same or similar defenses.
"the un regulation is a global standard, and we have to meet global standards," a general motors spokesperson told the times.