“I don’t want to insist on it, Dave, but I am incapable of making an error.”
– HAL 9000
Most science fiction fans can vividly recall the eerie conversation that Dr. Dave Bowman had with his spaceship’s onboard computer, HAL, in the epic 1968 film 2001 A Space Odyssey. HAL, which controlled all the operating systems of “Dave’s” spacecraft, was preventing Dave from taking back control and threatening Dave’s life in the process.
Fast forward to today. You get into your car, turn on your infotainment screen, and a strange and disturbing message appears. It informs you that hackers have taken control of your car’s systems and you will not be able to operate your vehicle until you pay a ransom. This is no longer science fiction. It’s an example of real-world car hacking, a serious and growing problem as vehicles become increasingly entangled into the internet of things.
Car hacking refers to the ways malicious actors can exploit weaknesses in an automobile’s software, hardware, and communications systems to gain unauthorized access and control. Cars today are as much electronic as they are mechanical. They are built with an ever-expanding array of computerized equipment, including electronic control units, controller area networks, Bluetooth connections, remote key fob entry/activation, and more. In fact, consulting firm McKinsey & Co. claimed that today’s cars have as many as 150 electronic control units and are expected to run on as many as 300 million lines of software code by 2030.[i]
This advancement in a vehicle’s electronic architecture, including its connectivity to the internet and cloud, creates a substantially expanded threat landscape. And potential vulnerabilities are only expected to increase as vehicles add new digital innovations, including autonomous driving functionality.
Fortunately, the auto industry and government regulators are working assiduously to establish mechanisms and standards to prevent hacking and limit vulnerabilities in automotive systems. In January, the National Highway Traffic Safety Administration (NHTSA) asked for public comment on an update to a 2016 best practices document regarding NHTSA’s nonbinding guidance to the automotive industry to make vehicles safer from cybersecurity threats. The NHTSA is promoting “a layered approach to vehicle cybersecurity that assumes some vehicle systems could be compromised, reduces the probability of an attack’s success, and mitigates the ramifications of unauthorized vehicle system access.”
Car manufacturing is a global enterprise, and the United Nations has taken the lead in passing international regulations about vehicle cybersecurity. These rules force auto manufacturers to assess risk and report intrusion attempts to certify that their connected components are secure. This regulation is scheduled to go into effect in 54 countries, including Japan and South Korea this year and Europe mid-2024.
Of course, private enterprise is also responding to the need for automotive security. According to research firm VMR, the global automotive cyber security market is projected to reach $6.3 Billion by 2028, growing at a CAGR of just over 18%. Among the larger players are Infineon Technologies, Argus Cyber Security, Intel, and Trillium Software. But the pipeline of new start-ups addressing the varied aspects of automotive cybersecurity is robust and growing.
2001: A Space Odyssey foretold a dystopic future in which control of mission critical operations was acceded to AI-driven machines with dire consequences. While HAL is not yet operating our minivans, today’s connected vehicles give rise to myriad security and privacy risks that should be meaningfully addressed. This clarion call only grows louder as driver-assisted technology thrusts forward. The automotive industry, government regulatory bodies, and consumers would do well to understand these risks and work towards meaningful mitigation. It is in our collective interest as a society to ensure that vehicles are well-protected from unwanted access and manipulation.