Cyber Risk for Automobiles?
By Anthony Cappelletti
General Insurance Insights, June 2024
Back in December of 2023, automobile manufacturer Tesla recalled over 2 million cars in North America regarding a defect in the system that ensures a driver is alert when using the Autopilot feature. This recall was handled differently than what we normally think of as a recall. The defect was in the cars software and the recall was completed using an over-the-air (OTA) software update.[1] After that recall, Tesla performed another OTA software update recall due to using too small a font on the instrument panel.[2] This got me thinking about the connectedness of modern automobiles. Which made me think, are connected automobiles at risk of cyber attacks? Is cyber risk something we need to be concerned with for automobiles?
Cyber risk can be understood as the potential (chance) of exposing a business’s information and communications systems to dangerous actors, elements, or circumstances capable of causing loss or damage. hyperproof, Blog, What is Cyber Risk? |
Connected Automobiles
While Tesla comes to mind when thinking of connected automobiles, it’s not the only manufacturer producing connected automobiles. Most automobile manufacturers now produce connected automobiles. The definition for a connected automobile can be explained like this: A connected automobile is an automobile that has the capability for two-way communications with systems outside of the automobile. Transport Canada describes them as vehicles that “use different types of wireless technology to communicate with their surroundings.”[3]
Common examples of connected automobiles:
- Automobiles that include an integrated satellite-navigation system (SATNAV) that can update maps and/or receive live traffic updates via a radio signal or some other form of wireless data.
- Automobiles that are equipped with Apple Car Play or Android Auto for entertainment and navigation in which communication is between the automobile and a cell phone.
- Automobiles that permit certain functions of the automobile to be accessed through a cell phone app (e.g., start vehicle, climate control, lock/unlock doors).
- Automobiles that can initiate emergency assistance after an event in the vehicle (e.g., airbags deployed) using wireless communication.
These are all examples of what I would call limited connectedness.
Now, Tesla, and several other automobile manufacturers are including extended connected capabilities on their automobiles. This allows manufacturers to communicate directly with an automobile to update software affecting various systems in the vehicle (e.g., engine functions, safety features, entertainment, and driver assistance options). Before looking into extended connectedness, I’ll look at the most common and simplest form of connectedness, the electronic key fob.
What is a key fob? A key fob is a small hardware device that can be programmed to control access to a physical space. … |
Key Fobs and Automobile Security
Automobile theft usually involved physically damaging the automobile for entry and then damaging the steering column to access the wires to start the vehicle. While this still occurs, vehicles with key fobs can be stolen without any physical damage. Thieves can take advantage of key fob technology if they have hardware that can intercept RFID[4] signals. Intercepted RFID signals can be cloned by thieves—they will then have access to the vehicle.
There are many different techniques for doing key fob cloning, but I won’t be describing how it’s accomplished. Thieves just have to be near where you store your key fob to intercept and clone the coded signal—even though they can be outside your home while your key fob is stored behind locked doors.
If the vehicle requires a physical key to start the engine, thieves will still need to access to the wires near the ignition to drive it. However, if it has a push button start, thieves will be able to drive the vehicle with the cloned key fob.
There are countermeasures that may be taken. Manufacturers can employ technological solutions, such as rolling codes and two-factor authentication.[5] But technological solutions only make cloning key fobs more difficult, not impossible. Storing key fobs in a Faraday bag[6] makes it impossible for thieves to intercept the RFID signal from the key fob because it can’t pass through the material of the container.
|
The Issue with Kia and Hyundai Engine immobilizers are a standard feature in automobiles over the past 20 years. They were developed to deter the ability to start a vehicle without the keys. Basically, it requires the presence of the key fob to start the engine. This stops low-tech vehicle thefts, but it does not stop key fob cloning technology. Automobile manufacturers Kia and Hyundai did not include engine immobilizers in many of their key‑start vehicles from 2015 to 2021. After a simple technique to start these vehicles without the key fob became widely available on social media platform TikTok, theft of these cars skyrocketed in the United States. Both Kia and Hyundai have since rolled out a software update (not OTA) that will act as an engine immobilizer.[7] |
So, it’s a fact that many vehicles can be stolen using RFID signal-interception and cloning technology. While this is certainly an issue for automobile owners and automobile insurers, it’s not as frightening as the thought of bad actors being able to hack into your automobile’s engine control and safety systems.
Hackers and Automobile Software
Today’s vehicles are highly technological, in some ways resembling a computer on wheels, complete with an operating system and software. As mentioned at the start of this article, Tesla completed a vehicle recall using an OTA software update. We all know that computer systems are subject to cyber risk. Hackers are always looking for vulnerabilities in operating systems and software for hacking opportunities. Operating systems, software and apps are constantly being updated to close off vulnerabilities. So why should today’s vehicles be any different? They’re not.
In 2022, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) produced the report Cybersecurity Best Practices for the Safety of Modern Vehicles.[8] This report provides non-binding guidance to the automotive industry regarding automobile cybersecurity. The guidance sets out a risk-management framework that includes many elements, such as: Risk assessments, layers of protections from risks, methods to mitigate risks, identification/testing of vulnerabilities, monitoring of incidents, remediation capabilities, and information sharing with the automotive industry regarding vehicle cybersecurity. The NHTSA is taking this threat seriously as it can affect the safety of drivers, passengers and pedestrians.
The automotive cybersecurity environment is dynamic and is expected to change continually and quickly. … Wireless interfaces into vehicle systems create new attack vectors that could potentially be remotely exploited. Unauthorized wireless access to vehicle computing resources could scale rapidly to multiple vehicles without appropriate controls. NHTSA, Cybersecurity Best Practices for the Safety of Modern Vehicles |
It’s a little scary to think of what can be done with cars that have self-driving capabilities. Tesla vehicles have an option for Enhanced Autopilot (EAP) and an option for Full Self-Driving (FSD) capability. Something to be aware of is that all Tesla vehicles have these capabilities even if the purchaser elects to not purchase either of these options. That’s because these options are made functional when the software is given the instruction to make them available in the vehicle. Tesla can do this remotely. This is how Tesla can make these options available on a monthly subscription basis in addition to a full purchase. Tesla also recently announced that it will make the FSD option available to all Tesla vehicles for a one-month trial period.[9]
From tesla.com[10] |
|
|
Tesla EAP Capabilities |
Tesla FSD Capabilities |
|
Automatic driving from highway on-ramp to off-ramp includes automatic lane changes, Traffic-Aware Cruise Control with complete stopping and re-engagement, Autosteer, and overtaking slow cars in your lane. With Smart Summon, your car will navigate more complex environments and parking spaces, maneuvering around objects as necessary to come find you in a parking lot. |
Includes all EAP capabilities plus: Your car will be able to drive itself almost anywhere with minimal driver intervention and will continuously improve. |
So, you might think this is only an issue with Tesla vehicles. Not really. Many modern vehicles come with some of the following software-controlled features such as:
- Adaptive cruise control,
- active lane following assistance,
- collision avoidance emergency braking, and
- remote parking assistance.
All these features have software controlling steering, acceleration and braking without any driver input. So, it’s technically possible for many newer vehicles without FSD capability to be driven remotely—even if just enough to cause chaos on the roadways.
Two Netflix offerings that I recently watched used cyber-attacks on automobiles as a minor plot device. One was the movie “Leave the World Behind,” the other was the series “3 Body Problem.” “Leave the World Behind” is an apocalyptic movie about a multi-pronged cyberterrorism attack on the United States. In one scene, roadways are left impassable as numerous remotely driven Tesla automobiles are purposely crashing to make passage impossible. “3 Body Problem” is a science-fiction series about technologically advanced aliens attempting to stifle scientific developments on earth. [Read this endnote if you want more spoilers.11] In one scene, an AI takes control of three automobiles (not Teslas) to create a distraction on the roads and run over an individual. Why do I mention this? The fact that cyber attacks on automobiles are now being used as plot devices means that this issue has captured a wide audience, including potential bad actors.
Can we be that far away from actual cyber-attacks on automobiles? I’m guessing that it’s only a matter of time. However, I don’t think it will be as extreme as these fiction examples I cited. In the near future, I expect less serious cyber-attacks on automobiles to occur, or at least be attempted. Perhaps remotely locking out numerous people from their vehicles at the same time by those interested in causing societal disruption. Or remote theft of high-end vehicles to be shipped out of the country and sold in foreign markets. One can imagine many different plausible scenarios.
While not as serious as remote control of vehicles by bad actors, there is the potential for cyber hacking of automobiles to steal data and personal information. Given how cell phones and modern vehicles are usually connected, it opens a new avenue for hackers to steal personal information.
Final Thoughts
Cybersecurity for automobiles is an important issue that is constantly changing. The automotive industry is taking measures to ensure that vehicles have multi-level protections against cyber-attacks. But from the world of computing, we’ve learned that cybersecurity requires frequent updates—hackers seem to always find new ways to compromise security. Automobile cybersecurity will likely be no different.
Automobile insurers will need to stay on top of this issue to ensure that vehicle models with compromised security are dealt with appropriately for rating and underwriting. There is also a place for automobile insurers to be involved in risk mitigation. For example, automobile insurers could provide discounts for policyholders that use a Faraday bag to store their key fobs at home.
Actuaries working in automobile insurance should stay informed on this issue so they can be part of the discussion regarding cybersecurity for automobiles.
Statements of fact and opinions expressed herein are those of the individual authors and are not necessarily those of the Society of Actuaries, the editors, or the respective authors’ employers.
Anthony Cappelletti, FSA, FCIA, FCAS, is a staff fellow for the SOA. He can be contacted at acappelletti@soa.org.
Endnotes
[1] CBC News, Dec. 13, 2003, Tesla recalling over 2 million cars in the U.S. and Canada over system that checks if drivers are alert.
[2] CBS New, Feb. 2, 2024, Tesla recalls 2.2 million cars — nearly all of its vehicles sold in the U.S. — over warning light issue.
[3] Transport Canada, Understanding connected and automated vehicles.
[4] Radio frequency identification: Use of radio wave technology and encoded microchips to identify objects.
[5] SmartchoiceList, Sept. 27, 2023, Can Key Fobs Be Cloned: Unveiling the Security Risks.
[6] A Faraday bag is a type of Faraday cage but in the form of a pliable bag. A Faraday cage blocks wireless signals from an external device reaching its contents and from leaving its contents reaching an external device. The Faraday cage was named after its inventor, Michael Faraday. Source: How-To Geek, May 1, 2022, What Is a Faraday Bag, and Should You Use One?
[7] Car and Driver, May 19, 2023, Hyundai/Kia Will Pay Owners $200 Million over Easily Stolen Cars.
[8] This report is an updated version of a 2016 draft.
[9] Drive, March 31, 2024, Tesla ‘Full Self-Driving’ free trial announced for the US, but Elon Musk’s bigger plans hit “roadblocks”
[10] Autopilot | Tesla.
[11] This is being done using AI so that when they arrive in 400 years, we will not have the technological ability to be a threat to them. Just in case you are curious, they have a method to move information faster than the speed of light but moving objects is constrained to a fraction of the speed of light.