Transportation

Here Is How To Address Car Hacking Threats

Comment

Image Credits: Chesky (opens in a new window) / Shutterstock (opens in a new window)

Kevin Mahaffey

Contributor

Kevin Mahaffey is co-founder and CTO of mobile security leader Lookout.

When you connect a car to the Internet, it is no longer just a car: It is a computer on wheels.

For years, the security industry has asked itself, “When will cyberattacks affect the physical world?” The connected car is a clear example of where this manifests, especially as researchers release new information about vehicles’ vulnerabilities, such as my partner Marc Rogers’ and my deep dive into Tesla’s systems, or the recent Jeep Cherokee analysis, wherein researchers breached the vehicle’s drive systems from the Internet, slowing the vehicle to a crawl on a highway. Fiat Chrysler has since recalled more than one million vehicles as a result, and legislation aptly named the “Security and Privacy in your Car Act” is currently in consideration by Congress.

When a car can search Google, send tweets and be remotely accessed from a smartphone app, that car has more in common with your laptop than it does the Model T. Securing the next generation of connected automobiles means redefining what it means for a vehicle to be “road-ready.” The road-ready vehicle of the future needs cybersecurity measures beyond the traditional physical safety measures taken today.

It is inevitable that automobiles — alongside every other essential technology in our lives — become connected. Given how important cars and trucks are to both individuals and the world’s economy as a whole, it’s entirely expected that attackers will focus their energy on disrupting vehicles’ (hopefully) well-designed systems.

Thankfully, nothing catastrophic has happened yet, and the auto industry is in position to take necessary action to get ahead of this problem. However, it needs to learn from the software industry’s experience on the front lines of the Internet, something most auto manufacturers have yet to do.

For example, as part of its mission to reinvent the automobile, Tesla has taken a software-first approach to its cars. Knowing that the people will expect their car to be connected to the Internet, the conversation internally never was “when these cars become Internet-connected,” it always was “how can we build a great connected car?”

As with any software-driven product, cybersecurity must be a deliberate investment. Today, the auto industry can take three specific measures to dramatically improve the cybersecurity of its vehicles.

First, vehicles need over-the-air update systems to avoid expensive and lengthy recalls every time a security vulnerability is found. Second, manufacturers must separate infotainment systems and the critical drive systems, tightly controlling communication between them, just as commercial airliners isolate inflight Wi-Fi networks from critical avionics systems. Third, manufacturers must assume that some attacks will succeed and secure each individual software component in the vehicle, so that if an attacker compromises a single system they do not automatically get access to the entire vehicle.

While the state of automobile cybersecurity would be substantially improved if all manufacturers implemented these guidelines, they are just a start. It takes years for a company to develop a strong cybersecurity culture; even with a strong internal cybersecurity team, that team must be supported by and integrated into the organization as a whole.

Further, companies with experienced security teams look not just inside the company for support, but outside to the global community of security researchers identifying problems — and hoping to get them fixed — ahead of criminals. For example, Tesla launched a “Bug Bounty” program to encourage external security researchers to responsibly identify and help fix any security issues they uncover. I encourage all other manufacturers to follow a similar path.

Consider the consequences if the auto industry does not get security right: Manufacturers may need to issue a recall for every software vulnerability found. Recalls are a long process, and software vulnerabilities become a substantial personal safety issue, even a national security concern, if not fixed immediately. Further, if the frequency of software vulnerabilities in vehicles is anywhere near that of PCs — monthly and even weekly in some cases — recalls quickly become impractical.

I sincerely hope that all auto manufacturers proactively address cybersecurity, starting with the guidelines above, to make automobiles one of the most secure pieces of technology in our lives.

More TechCrunch

Sona, a workforce management platform for frontline employees, has raised $27.5 million in a Series A round of funding. More than two-thirds of the U.S. workforce are reportedly in frontline…

Sona, a frontline workforce management platform, raises $27.5M with eyes on US expansion

Uber Technologies announced Tuesday that it will buy the Taiwan unit of Delivery Hero’s Foodpanda for $950 million in cash. The deal is part of Uber Eats’ strategy to expand…

Uber to acquire Foodpanda’s Taiwan unit from Delivery Hero for $950M in cash 

Paris-based Blisce has become the latest VC firm to launch a fund dedicated to climate tech. It plans to raise as much as €150M (about $162M).

Paris-based VC firm Blisce launches climate tech fund with a target of $160M

Maad, a B2B e-commerce startup based in Senegal, has secured $3.2 million debt-equity funding to bolster its growth in the western Africa country and to explore fresh opportunities in the…

Maad raises $3.2M seed amid B2B e-commerce sector turbulence in Africa

The fresh funds were raised from two investors who transferred the capital into a special purpose vehicle, a legal entity associated with the OpenAI Startup Fund.

OpenAI Startup Fund raises additional $5M

Accel has invested in more than 200 startups in the region to date, making it one of the more prolific VCs in this market.

Accel has a fresh $650M to back European early-stage startups

Kyle Vogt, the former founder and CEO of self-driving car company Cruise, has a new VC-backed robotics startup focused on household chores. Vogt announced Monday that the new startup, called…

Cruise founder Kyle Vogt is back with a robot startup

When Keith Rabois announced he was leaving Founders Fund to return to Khosla Ventures in January, it came as a shock to many in the venture capital ecosystem — and…

From Miles Grimshaw to Eva Ho, venture capitalists continue to play musical chairs

On the heels of OpenAI announcing the latest iteration of its GPT large language model, its biggest rival in generative AI in the U.S. announced an expansion of its own.…

Anthropic is expanding to Europe and raising more money

If you’re looking for a Starliner mission recap, you’ll have to wait a little longer, because the mission has officially been delayed.

TechCrunch Space: You rock(et) my world, moms

Apple devoted a full event to iPad last Tuesday, roughly a month out from WWDC. From the invite artwork to the polarizing ad spot, Apple was clear — the event…

Apple iPad Pro M4 vs. iPad Air M2: Reviewing which is right for most

Terri Burns, a former partner at GV, is venturing into a new chapter of her career by launching her own venture firm called Type Capital. 

GV’s youngest partner has launched her own firm

The decision to go monochrome was probably a smart one, considering the candy-colored alternatives that seem to want to dazzle and comfort you.

ChatGPT’s new face is a black hole

Apple and Google announced on Monday that iPhone and Android users will start seeing alerts when it’s possible that an unknown Bluetooth device is being used to track them. The…

Apple and Google agree on standard to alert people when unknown Bluetooth devices may be tracking them

The company is describing the event as “a chance to demo some ChatGPT and GPT-4 updates.”

OpenAI’s ChatGPT announcement: Watch here

A human safety operator will be behind the wheel during this phase of testing, according to the company.

GM’s Cruise ramps up robotaxi testing in Phoenix

OpenAI announced a new flagship generative AI model on Monday that they call GPT-4o — the “o” stands for “omni,” referring to the model’s ability to handle text, speech, and…

OpenAI debuts GPT-4o ‘omni’ model now powering ChatGPT

Featured Article

The women in AI making a difference

As a part of a multi-part series, TechCrunch is highlighting women innovators — from academics to policymakers —in the field of AI.

17 hours ago
The women in AI making a difference

The expansion of Polar Semiconductor’s facility would enable the company to double its U.S. production capacity of sensor and power chips within two years.

White House proposes up to $120M to help fund Polar Semiconductor’s chip facility expansion

In 2021, Google kicked off work on Project Starline, a corporate-focused teleconferencing platform that uses 3D imaging, cameras and a custom-designed screen to let people converse with someone as if…

Google’s 3D video conferencing platform, Project Starline, is coming in 2025 with help from HP

Over the weekend, Instagram announced that it is expanding its creator marketplace to 10 new countries — this marketplace connects brands with creators to foster collaboration. The new regions include…

Instagram expands its creator marketplace to 10 new countries

You can expect plenty of AI, but probably not a lot of hardware.

Google I/O 2024: What to expect

The keynote kicks off at 10 a.m. PT on Tuesday and will offer glimpses into the latest versions of Android, Wear OS and Android TV.

Google I/O 2024: How to watch

Four-year-old Mexican BNPL startup Aplazo facilitates fractionated payments to offline and online merchants even when the buyer doesn’t have a credit card.

Aplazo is using buy now, pay later as a stepping stone to financial ubiquity in Mexico

We received countless submissions to speak at this year’s Disrupt 2024. After carefully sifting through all the applications, we’ve narrowed it down to 19 session finalists. Now we need your…

Vote for your Disrupt 2024 Audience Choice favs

Co-founder and CEO Bowie Cheung, who previously worked at Uber Eats, said the company now has 200 customers.

Healthy growth helps B2B food e-commerce startup Pepper nab $30 million led by ICONIQ Growth

Booking.com has been designated a gatekeeper under the EU’s DMA, meaning the firm will be regulated under the bloc’s market fairness framework.

Booking.com latest to fall under EU market power rules

Featured Article

‘Got that boomer!’: How cybercriminals steal one-time passcodes for SIM swap attacks and raiding bank accounts

Estate is an invite-only website that has helped hundreds of attackers make thousands of phone calls aimed at stealing account passcodes, according to its leaked database.

22 hours ago
‘Got that boomer!’: How cybercriminals steal one-time passcodes for SIM swap attacks and raiding bank accounts

Squarespace is being taken private in an all-cash deal that values the company on an equity basis at $6.6 billion.

Permira is taking Squarespace private in a $6.9 billion deal

AI-powered tools like OpenAI’s Whisper have enabled many apps to make transcription an integral part of their feature set for personal note-taking, and the space has quickly flourished as a…

Buy Me a Coffee’s founder has built an AI-powered voice note app