A California-based consumer-advocacy group is putting it in starker terms, suggesting a mass cyberattack against such vehicles could lead to Sept. 11-level casualties.
The report urges automakers to install 50-cent "kill switches" to allow vehicles to be disconnected from the Internet. The report highlights numerous widely reported instances of remote vehicle hacking,
The report says, "Millions of cars on the Internet running the same software means a single exploit can affect millions of vehicles simultaneously. A hacker with only modest resources could launch a massive attack against our automotive infrastructure, potentially causing thousands of fatalities and disrupting our most critical form of transportation. Recent reporting about United States efforts to counter Russian cyber-attacks with its own online infiltration indicate that we increasingly live in the era of cyber warfare. An attack targeting transportation infrastructure is a growing possibility."
The report highlights a key security flaw in connected vehicles, saying that the vulnerability is growing because of the increasing number of such vehicles on the roads.
"Experts agree that connecting safety-critical components to the internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the internet," the report says, noting that "by 2022, no less than two-thirds of new cars on American roads will have online connections to the cars’ safety-critical system, putting them at risk of deadly hacks."
The report said several automakers have disclosed the cyber risks to their investors.
Specifically, the report said that he car industry should respond immediately with more transparency and consumer control:
- Regulators should require automakers to publicly disclose the authorship, safety certifications, and testing methodology used for all safety and security critical software, allowing for analysis by independent regulatory and testing agencies.
- CEOs of auto manufacturers should sign personal statements and accept personal legal liability for the cyber-security status of their cars.
- The industry should agree to a general standard protocol that cars not be connected to wide-area networks until they can be proven immune to hackers.
The National Highway Traffic Safety Administration issued a statement about the report:
“NHTSA is aware of the report and is reviewing it. In every public safety question, the agency relies on data, science and facts. For vehicle cybersecurity," it said. "NHTSA supports a multi-layered protection approach focused on vulnerable entry points, both wireless and wired. Manufacturers should report incidents, threats and vulnerabilities related to cybersecurity to the Automotive Information Sharing and Analysis Center."