Hackers can control your car! Don't believe it? It's actually very simple

The relationship between cars and computers is becoming increasingly intimate and complex. Specialized software allows every part of a vehicle to be connected, from brakes to steering wheels to door locks and even the radio, all of which can be networked. Many newer models also allow the vehicle to connect to the Internet.

So, what is the chance that your car will be hacked? How much damage can hackers cause? Car companies are working on building self-driving cars, but how strong are their ability to defend against cyber attacks launched by hackers? Today, we will let the world's leading experts give us a detailed introduction.

Stephen Savage is a 2017 MacArthur Foundation "genius" scholarship winner and a professor at the University of California, San Diego, who specializes in car hacking. He said: "Compared to the past, car companies have done more efforts, but not enough. This may put drivers and pedestrians at risk of injury or even death. At the same time, this will also involve the driver's privacy." Current challenges include: "Raising the standards of the automotive industry and reapplying the lessons learned from the past PC software industry to the automotive field. It will take a long time to convince us that the in-vehicle system is safe."

Part of the problem is the software running in cars, especially self-driving cars, which are easy to control, said Deirdre Mulligan, co-director of the UC Berkeley Center for the Study of Law and Technology and a professor at the UC Berkeley School of Information. When it comes to vehicle safety, Mulligan said, “The learning curve is of mixed quality and unevenly distributed.”

The potential safety issues of connected cars made headlines in 2015 when two security researchers hacked into a Jeep Cherokee and disabled the brakes, slowing it to below 70 mph on the highway. The hack led FCA to recall 1.4 million vehicles. "We could have done more to make cars safer. The safety technology exists, it's just a matter of whether automakers are willing to do it," said Kathleen Fisher, former DARPA manager and chair of the computer science department at Tufts University.

The potential safety issues of connected cars made headlines in 2015 when two security researchers hacked into a Jeep Cherokee and disabled the brakes, slowing it to below 70 mph on the highway. The hack led FCA to recall 1.4 million vehicles. "We could have done more to make cars safer. The safety technology exists, it's just a matter of whether automakers are willing to do it," said Kathleen Fisher, former DARPA manager and chair of the computer science department at Tufts University.

Around the same time, hackers from the University of Washington and UC San Diego (including Savage) revealed that GM spent five years recalling and fixing 4.5 million Chevrolet Impalas due to a security vulnerability in the OnStar navigation system. Last year, hackers in Germany were able to remotely unlock and start 24 models thanks to a key fob hack, and BMW exposed owner data and vehicle remote hacking ports through its portal.

Keen Security Lab under Tencent MIG cracked the Tesla Model S in-vehicle system in 2016 and demonstrated remote non-physical contact braking while driving; in 2017, Keen Lab cracked the Tesla Model S again and also cracked Tesla's new SUV Model X. They also revealed that they could use means to enter the in-vehicle sensor system to mislead the operation of the autonomous vehicle or cause a collision when switching between semi-autonomous driving mode and full manual driving mode.

“Car companies have been slow to acknowledge the importance of long-standing security basics for in-car computers, such as over-the-air (OTA) software updates to fix vulnerabilities,” Savage said. Another big reason they’ve been slow to improve security is that they don’t always own the software code that runs in the car. There are a hundred companies that write the code, and then they put it all together, and the car companies don’t own the code. It’s not their code, and there’s a bunch of dialog boxes that they’re trying to coordinate and test in time, but they have 20 different microprocessors and 15 different operating systems that may change from year to year. From an assessment perspective, it’s a bit of a nightmare.

Karl Koscher, a security researcher at the University of Washington, said that today's in-vehicle software and hardware are so complex that even car companies cannot fully understand them. He said: "When we informed GM about the Impala vulnerability, the company said it did not have firmware for the components. Radio firmware manufacturers are already out of work. They realize that car companies don't know what the software and hardware devices in their vehicles are. They rely on suppliers to ensure the security of the Internet of Vehicles. This idea is really eye-opening." After learning about the hacker intrusion, most car companies did not comment. Volkswagen's US division said in a statement that the company attaches great importance to the safety of its customers and vehicles, will continue to monitor and improve the security protection measures of electronic equipment and mechanical devices, and actively support the introduction of regulations for in-vehicle computer security research.

Car hacking experts say many big automakers have been slow to act when it comes to in-car computer security. Robert Currie said he estimated there would be "no real change" unless something "touches the pocketbook" of the automakers. In a 2015 paper on car hacking published by the SANS Institute, Currie laid out the basics of in-car computer security vulnerabilities.

Currie said that car companies do not pay enough attention to such risks. We see headlines almost every month, hacker attacks or mentions that the on-board computer protocol is unsafe. Continuing to use the CAN bus is one of the biggest security risks for cars. He said: "There is no fixed way to protect the CAN bus. I know that it is not cheap to replace equipment. The problem is that money is what drives car companies. If they can save a few cents, many car companies will use something cheaper rather than safe." But the balance between security risks and costs must be based on the interests of consumers. At this point, many companies have begun to actively strengthen the construction of automotive network security.