EAST LANSING, Mich. — More and more smart cars are taking to the road each year, and it’s no wonder why. These advanced vehicles equipped with high-tech technology improve users’ driving experience considerably, from both a convenience and practicality standpoint. Of course, just like any number of other modern devices that improve our lives, like smartphones and home assistants, these newer cars also open up the possibility of cyber attacks from hackers or other individuals with malicious intentions. A new study out of Michigan State University applied criminal justice theory to the newly emerging smart car industry, and found a number of troubling security oversights — including some that could lead to potentially deadly consequences.
Overall, the study’s authors identified two main problem areas: the possibility that users’ personal data could be compromised via a smart car hack; and perhaps even more alarmingly, the potential for hackers to take control of and change a smart car’s safety features, consequently endangering all passengers.
“Automotive cybersecurity is an area we don’t understand well in the social sciences. While there are groups of computer scientists and engineers digging into some of the issues, the social aspects are extremely relevant and under-examined,” explains lead author Thomas Holt, professor of criminal justice at MSU, in a release. “As the technology gets greater market share, it’s critical to get ahead of the curve before there are issues we can’t rein in.”
According to the researchers’ findings, as more cars on the road connect to WiFi, it will be that much easier for hackers to gain access to vehicle systems. For example, connecting one’s smartphone to a smart car could, in theory, give a hacker backdoor access to data stored inside both the car and the phone. Google Android users were specifically mentioned as well, because they have the ability to download applications from unverified, possibly malicious, websites.
“The risk with vehicles isn’t just personal data – though that is still a real concern,” Holt continues. “Say the car is compromised and a hacker alters certain alert systems that tell a driver when tire pressure is low or so the emergency brake sensory systems don’t kick in. That could lead to loss of life.”
Holt and his team applied a popular criminal justice idea, referred to as the routine activities theory, to the subject of smart cars. According to this theory, in order for a criminal to actually commit a crime, three preconditions must be met: a motivated criminal, a suitable target, and a lack of a guardian. Within a smart car scenario, the car manufacturer should be acting as a cyber security guardian, but the research team found that most are not doing enough in this field.
“Where we found holes was surprising: there’s no one technically responsible for these vehicles’ central computer systems,” Holt says. “The automotive and equipment manufacturers need to recognize that as it stands, they serve as the guardians in the space, and the onus is on them. They need to take the lead in thinking more critically about data flows, software vendors and how to communicate security with dealerships.”
If an older model car were to experience a widespread equipment failure, the typical response from the manufacturer would be to issue a recall in order to fix the issue. But, Holt says this approach won’t be sufficient when it comes to hacks.
“It’s critical to think beyond thresholds and recalls because cybersecurity isn’t a recoverable problem, but rather one that requires constant system patching updates, installations and new codes written,” He comments. “This is more complicated but needs to be an active guardian process.”
Just like how smartphone manufacturers are constantly releasing new updates and security measures, the study’s authors say that car companies will soon have to employ the same strategy.
“Not everyone updates their smartphones when they’re supposed to, but customers need to realize that to a certain extent, manufacturers can only do so much. The customer must have a role in protecting their cars as well,” Holt concludes. “We can’t expect every vehicle owner to go to a dealership every time there’s a security update. But once the guardians find a way to make it more accessible, they’ll be the ones responsible for protecting their vehicles – and themselves.”
The study is published in the Journal of Crime and Justice.