Deep dive: Please, don’t jailbreak your Tesla
Volvo just poured $30mn into an Israeli startup working on connected vehicle cybersecurity, part of an ongoing stampede by automakers to keep their products safe against a new generation of digital threats.
As our cities and homes get smarter - increasingly saturated with IoT enabled sensors, meters and intelligent devices - the same process is quickly happening to our cars. Given that almost 120mn households in the US have some sort of smart speaker, and the global number of IoT devices is predicted to hit 20.4bn in a few months time, cars are a logical place for the hyper-connected future to affect in ways we couldn’t have imagined a decade ago.
In 2018, the average American spent a total of 18 days in cars, and even form close emotional bonds with their cars, according to a study commissioned by Cooper Tire. It’s not so hard to imagine a year 2029 where the majority of vehicles are fully autonomous and as much a digital appliance as a laptop or smartphone (see what Injury Reserve think that’s going to look like).
Back in 2004, when the US DoD offered a prize to any self-driving vehicles that could complete a 143 mile course, only one entrant made it more than seven miles. Today, autonomous car makers are testing their creations on roads from Phoenix to London to Shanghai.
It isn’t hard to see that the global personal transport market is headed towards an ‘Internet of Cars’, powered by 5G adoption. “Cue 5G and sensor-driven collision-avoidance technology, but also vehicle-to-infrastructure communications, so a driverless car could respond to a red light. It could also enable citywide traffic management, with a central hub instructing driverless cars which routes to take to keep traffic flowing across a city,” posits Jamie Carter of Forbes.
However, while a more connected world can theoretically make our road networks safer, more efficient and hands free, there is mounting concern across the automotive sector that increasingly digital transport solutions are increasingly vulnerable to a new form of attack.
The Jeep Hack
In case you missed it, the unsettling power of hackers to remotely interfere with a car on the road was demonstrated as early as 2015. “I was driving 70 mph on the edge of downtown St Louis when the exploit began to take hold,” wrote Andy Greenberg, a reporter for WIRED who volunteered to drive around in a Jeep Cherokee while hackers Charlie Miller and Chris Valasek wreaked havoc with the car’s radio, windscreen wipers, air conditioning and, finally, its engine.
“The Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway. ‘You're doomed!’ Valasek shouted, but I couldn't make out his heckling over the blast of the radio, now pumping Kanye West,” Greenberg wrote later.
The two computer whizzes made their way into the car’s system via an internet connected computer in its dashboard and Chrysler had to recall 1.4mn vehicles as a result.
Four years later, there are as many as 112mn connected cars on the road around the world, and the potential security risks are prompting significant investment from the world’s car makers.
Volvo and Upstream Security
"Our mission is to protect every connected vehicle and smart mobility service on the planet. This funding is perfectly timed to meet the growing demand for our data-driven, cloud-based platform, providing our customers with the capabilities it needs to accomplish this vitally important task," Yoav Levy, co-founder and CEO of Upstream Security, a cybersecurity startup based in Tel-Aviv.
Today, the Venture Capital subsidiary of Volvo Group announced that it is investing $30mn in Upstream in order to fund the development of systems to protect connected vehicles following the introduction of data-driven technologies.
"Upstream Security has a promising offering and capability to support with cyber security solutions to meet our future requirements," commented Anna Westerberg, acting CEO of Volvo Group Venture Capital and SVP, Volvo Group Connected Solutions.
Please, don’t jailbreak your Tesla
Car companies upselling expensive extras has been part of the auto buying experience for decades. Back in 2015, those with the (not inconsiderable) funds to pick up a Bentley Bentayga also had the option of replacing the standard clock with a $170,000, diamond-encrusted dashboard clock by Breitling. This is an extreme example, but the war against being overcharged for bells and whistles has been raging between car owners and dealers for more than half a century; it makes perfect sense that, since the modern sedan has the power to connect to the internet, download apps and features that car owners would go looking on the web for third-party software to enhance their rides.
Cybersecurity firm Kaspersky wrote in a blog last year, acknowledging that “those perks don’t come cheap.” Kaspersky researchers found a thriving market for equipment and software that allowed users to bypass digital restrictions on their cars, including “special modules for resetting the mileage or reloading the airbags after an accident, saving on maintenance, as well as tools for diagnosis and unlocking paid features, pirated navigation apps, and unlicensed accessories. Naturally, those products were all quite a bit less expensive than what manufacturers offer. Why pay more if you don’t have to?”
Because you actually get what you pay for, according to Kaspersky. Once these pirated tools get access to a car, the cybersecurity measures that prevent hackers like Miller and Vasalek from remoting in and running amok are bypassed. “hey can monitor the car’s movements, eavesdrop on conversations, or access a smartphone connected to the system. Or they could turn off the alarm and unlock the doors. Enterprising cybercriminals might even inject ransomware, preventing the vehicle from moving until the owner pays up in cryptocurrency,” suggests Kaspersky.
How to hack a Tesla in under three minutes
So far, I haven’t talked about Tesla that much outside these titles. That’s for a couple of reasons: first, the Injury Reserve song Jailbreak the Tesla from earlier that you should have listened to that brilliantly expresses the changing attitudes of a technology-savvy community of car owners who view turning the “X into a Batmobile rip” and stunting by taking a Tesla to West Coast Customs with the same relish as dads in the 1960s putting better spark plugs in their Crown Coupes; and secondly because, in addition to pioneering the adoption of electric vehicles across the world, Tesla has led the field of automotive cybersecurity since its inception.
To keep ahead of the competition, Tesla has a novel approach: a competition.
Back in January, the company put a bounty on the new Model 3 sedan, saying that anyone who could hack it and expose vulnerabilities in its security systems could have one.
Many tried. Some succeeded. A group of hackers from China managed to trick a Model 3 into changing lanes remotely in March of this year at an event in Vancouver. The “Pwn2Own” approach that Tesla has taken to beefing up its security systems has precedent in the cybersecurity space for decades, but Tesla is the first automaker to embrace the strategy.
Where does the road go?
By 2025, Grand View Research predicts that the automotive cyber security market will hit $5.56bn per year. Increased risk of data breaches, as our personal information becomes increasingly integrated into the technology we use on a daily basis, will drive massive investment. However, whether strategies like internal R&D departments, investment in startups, or simply challenging the world’s best hackers to "take their best shot” will prove effective remains to be seen.