The Auto Industry: The Next "Big" Target for Hackers?

19 March 2015 Dashboard Insights Blog
Author(s): Chanley T. Howell James R. Kalyvas Michael R. Overly

Given the exponential rise in security breaches and hacking activity in past few years and the almost constant headlines in the press of yet another major security breach, information security should be a front burner issue for every business. While the auto industry has, for the most part, avoided being a primary target for hackers in the past, having only faced research demonstrating “possible” attacks, that is likely to change in the near future. There are four reasons for that change:

  1. Big Data. Carmakers, dealerships, and their suppliers and vendors have developed extremely large databases of consumer information, ranging from customer preferences, to financial information, to driving statistics, to location-based data. These huge databases make tempting targets for hackers. They are also drawing the attention of regulators who are increasingly viewing dealerships as financial institutions in terms of the magnitude of personal consumer information collected in their finance and insurance departments.
  2. Connected Nature of Cars. Industry studies show that by 2017 more than 60% of new vehicles will be connected in some way to the internet, making them part of the “Internet of Things.” Many automobiles have wireless connections to the internet via Bluetooth and wireless hot spots through cellular connections. In addition, cars now feature a multitude of applications that can be accessed and controlled by a driver’s smart phone, which, itself, connects to the internet. These connections may pave the way for a hacker to gain control of car’s systems and data. This is not fantasy, but fact. Researchers at the DEF CON hacker conference recently presented evidence of how they were able to hack and take control of the electronic smart steering, braking, acceleration, engine, and other functions of several types of vehicles. This follows similar research several years ago conducted by the University of Washington and the University of California-San Diego, where various functions of a car were compromised using Bluetooth, modified CDs, and other techniques.
  3. Automotive Complexity. The volume of programming in a modern car is staggering. Programming is typically measured in “lines of code” (LOCs). For example, a pacemaker may have about 80,000 LOCs. The original space shuttle had about 400,000 LOCs. Only a handful of technologies have in excess of 100 million LOCs: the total DNA of a mouse, the code for the ill-fated Healthcare.gov website, and the software in the average high-end automobile. A study at Carnegie Mellon University showed that, on average, commercial software contains between 20 and 30 bugs for every thousand lines of code, meaning the software in an automobile could have 1 to 2 million bugs that could be exploited by a hacker.
  4. Interconnectivity of Carmakers, Dealerships, Suppliers, Vendors. In addition to the foregoing, the systems used by carmakers in the design and manufacture of their vehicles, systems on which maintenance information is stored, systems maintained by dealers and their respective vendors and suppliers, etc. are all vulnerable to attack. This is particularly so in the context of the interconnections between and among those systems and the continuing trend to place many of those systems in the “cloud.” The interconnected network of all those systems is only as strong as its weakest link. If one system is compromised, the others may fall. Hackers routinely exploit this exact interconnected nature of complex systems to compromise a week outlying system and leverage it to gain access to far more heavily secured systems.

Just as the retail and oil and natural gas industries have done, the auto industry is moving to create an Auto ISAC (Information Sharing and Analysis Center) to address information security issues. That is an important step in mitigating security risks. Another is ensuring directors and officers are appropriately educated regarding information security risks. To assist in that effort, our firm has created a white paper, entitled “Taking Control of Cybersecurity:  A Practical Guide for Officers and Directors.”

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.