New Brunswick·Point of View

Hacking cars: cybersecurity regulations needed for new vehicles

Columnist David Shipley says more cybersecurity is needed to prevent the hacking of vehicles and make drivers aware it could happen.

Security researchers showed they were able remotely hack a 2015 Jeep Cherokee over the internet

David Shipley says more should be done to prevent the hacking of vehicles. (nito/Shutterstock)

Imagine driving your pickup truck off-road and suddenly having your airbags and seat belts malfunction because of an object striking the undercarriage. That causes a software error in your smart vehicle, causing the computer to incorrectly turn off critical equipment that protects you. 

Sounds far fetched?

It shouldn't. It's part of a recall notice that affected more than 200,000 Dodge Ram trucks in Canada and a million in the United States. Fiat Chrsyler issued the recall in May and is aware of one death and two injuries as well as two accidents that may be related to the issue. 

It's just the latest safety issue affecting cars and trucks made by a variety of auto makers over the past few years. The most stunning hack to date happened in 2015.

Two years ago security researchers demonstrated they could remotely hack a 2015 Jeep Cherokee over the internet and take control of its systems as well as disable its transmission and interfere with its steering and brakes. 

After that hack was announced, there was a lot of talk about the need for new laws to regulate cybersecurity in vehicles. Unfortunately, it only ever amounted to talk. 

Why are cars so hackable? 

No one set out to make a hackable internet-connected vehicle that could be turned into a weapon. 

In fact, the first steps towards this disaster had nothing to do with connecting the car to the internet. 

The first steps had to do with introducing entertainment technology in order to raise the perceived value proposition of a car made by Ford, Fiat Chrysler or General Motors against the equivalent overseas-made car from manufacturers such as Honda, Nissan and Mazda. 

The problem for Ford, Fiat Chrysler or General Motors is that before they even build a new car, they're already much more expensive than the equivalent import due to legacy labour costs such as worker pensions, healthcare and other benefits. In 2005, these costs added as much as $1,500 to the cost of each car GM made.

That means, all things being equal, to make the same amount of money as a Japanese automaker for the same kind and quality car, the big three automakers have to charge a price premium. That's a tough sell given the brand perceptions around the quality of imported vehicles versus domestic ones. 

What Ford realized in the late 2000s was that it could use low-cost technology to create additional value and justify part of the premium needed to grow its margins. 

Ford realized that technology could not only attract younger buyers - the so-called millennial generation - but those buyers would be willing to pay as much as $3,000 more for entertainment and internet-connected hardware. 

Pandora's digital box

Adding touch screen technology to the entertainment system of a car is one thing, but when you start connecting that entertainment system to the control systems of the car and then connecting those systems to the internet, you end up with trouble. 

But why did the manufacturers hook these systems together? 

Ironically, in most cases, it was about adding safety features. You can almost hear the brainstorming sessions in the late 2000s: Engineer A notes that wouldn't it be great that in the event of an accident or collision, if your car was smart enough to turn the stereo down and call 911. Engineer B notes that wouldn't it be great too if you could track your car over the internet if it was lost or stolen.  Engineer C adds that the car should notify you via the mobile app if it has a problem, or send important data to your dealership. 

Marketer A loves these new ideas, each of which can become a branded feature to help differentiate a car from competitors, but more importantly can help add value to the car at little or low cost. 

It's worth noting in this hypothetical scenario that there's no cybersecurity expert in those meetings, which is likely pretty close to what happened in real life. 

Fixing our smart cars

New regulations and oversight of smart cars would be good first steps. Those regulations should include laws mandating security updates and patches for the reasonable lifespan of the vehicle. We also need cybersecurity safety testing and ranking of vehicles by government agencies and insurers, just like we do for car front-end collision safety today. 

Finally, we need to make sure car buyers and owners are aware these are some of the risks of their new smart and convenient cars so they can ask questions of the manufacturers and of government officials on how we can make them as safe as possible. 


David Shipley is the CEO and Co-Founder of Beauceron Security Inc., a New Brunswick-based cybersecurity software firm with clients across North America. David is a certified information security manager and frequently writes and speaks about cybersecurity issues across North America. Over the summer he is exploring a variety of cybersecurity issues in a weekly column for CBC Radio New Brunswick.