On Wednesday at the 2017 North American International Auto Show (NAIAS) in Detroit, a group of security analysts took on one of the most critical concerns when it comes to autonomous and connected cars: Hacking into them.
Moderated by Ron Plesco, principal and national lead at KPMG cyber investigations, the panel included Adam Meyers, vice president of intelligence at CrowdStrike, Danny Le, principal and automotive leader for KPMG cyber security services, and Doron Rotman, managing director and privacy service leader for IT audit and assurance at KPMG.
The group discussed what Plesco called the "internet of cars"—the kind of data connected and autonomous cars share, who owns it, and how it can be compromised.
Le works closely with different types of companies on security. "The reality of cybersecurity risks may not be as recognized as it should be throughout the entire product development and lifecycle," he said. "There should be security professionals as part of the process. Not an afterthought."
"The threat is very real," Le added. "Governments that have unlimited resources have been hacked. Huge tech companies have been hacked. Millions of email accounts compromised. Financial services and institutions have been hacked."
Meyers brought up some of the earliest automotive hacks, which happened in 2003 when vehicles became enabled with bluetooth—at the time, no form of security had been implemented. And then there was the more recent Tesla incident, when Chinese researchers at Tencent hacked into Tesla S via Wi-Fi, and were able to remotely operate the car.
Today, barriers for interacting with cars have lowered—"they have become more interactive, more like an open platform," said Meyers. That means there are increased vulnerabilities. Also, it's not just vehicles that are open to cyberattack—there are also sensor packages for vehicles, and voice command systems through platforms like Amazon's Alexa that create new vulnerabilities.
So why would a nation, or an individual actor, want to hack into a car's data? It's about money, said Le. "Social media passwords are worth more on the black market than an American Express card," he said.
How to prevent hacking? All panelists stressed a proactive approach. Meyers said he believes in a "ground up" strategy in security vehicles. Carmakers, he said, should be engaging with product security teams. Rotman also said he believes in "privacy by design." He brought up another important point: Considering the ethical uses of data. "You can not 'un-discover' findings," he said.
In addition to preventing hacking, the group talked about the value of the data a car collects.
"Data from the car is the new revenue," said Le. And who owns a car's data is a critical—and unanswered—question. Is it the car owner? The OEM? The individual? "Data is a currency that should be protected," Rotman said.
Meyers also addressed the growing complexity of the industry. "When we look at the new mobility sector, a lot of players are coming in," he said. "There's the powerful OEM, the tech companies, the regulators, and consumers."
"There's a tension in how fast this industry is going to mature," he added. "The user community may not want it as fast as you think. Tech wants to push forward. Regulators want to guide it." This tension, said Meyers, will likely lead to conflict. "It's important to pay attention to the regulators," he said. "They have public interest in mind. We need to talk to regulators and start to regulate ourselves rather than wait."
A cybersecurity breach would also have a major financial impact on the company hacked into. KPMG found that 82% would never buy from an automaker if the company experienced a vehicle hack. "The impact of hacking will go straight to the OEM," said Doron. "They have to pay attention, they have to manage the extended ecosystem."
Le again stressed the urgency of addressing cybersecurity.
"This is a real threat. This is public safety, it's family, it's our kids," he said. "We need to pay attention."
The 3 big takeaways for TechRepublic readers
- In the age of connected cars, the risk of security hacks is growing, according to a panel of security experts at NAIAS 2017. Hackers will most likely target personal information, like email addresses and social media passwords, which the experts say are more valuable than credit card information.
- New technology is bringing a host of new players, including the user community, the tech company, the OEM, and regulators, which is likely to bring tension over who "owns" the data.
- A hacking incident will most directly impact the OEM, and they must take care to protect security in order to protect the brand. KPMG research shows that 82% would never buy from an automaker if the company experienced a vehicle hack.
- AI as co-pilot': The state of autonomous driving, from the auto world's headquarters in Detroit (TechRepublic)
- Waymo CEO John Krafcik wins 'Disruptor of the Year' Shift Award, for autonomous minivan, from Roadshow by CNET (TechRepublic)
- Our autonomous future: How driverless cars will be the first robots we learn to trust (TechRepublic)
- 7 autonomous vehicle partnerships that will shape the future (TechRepublic)
- Top 10 developments of 2016 in autonomous vehicles (TechRepublic)
- Autonomous driving levels 0 to 5: Understanding the differences (TechRepublic)
- Ford CEO promises autonomous vehicles for mass transit by 2021 (ZDNet)
- Photos: A list of the world's self-driving cars racing toward 2020 (TechRepublic)
Hope Reese has nothing to disclose. She doesn't hold investments in the technology companies she covers.
Hope Reese is a journalist in Louisville, KY. Her writing has been featured in The Atlantic, The Boston Globe, The Chicago Tribune, Playboy, Undark Magazine, VICE, Vox, and other publications.