Vulnerability Management

Putting The Brakes On Hacked Cars

By Chris Hardee

The average high-end car has roughly 200 million lines of code. Since software has an average of 15 to 50 errors per 1,000 lines, this means your average car has between 3 million and 10 million bugs buried somewhere within its code.

If this number scares you, you're not alone.

According to a recent study, 90% of drivers think that carmakers "should be in charge even if the car’s apps were created by a separate software firm."

While having the latest patches is important for computers and cell phones, it is critical when it comes to safety within a vehicle. The National Highway Traffic Safety Administration and the FBI created a joint formal announcement warning drivers of the increased risk of having vehicles that are connected to the Internet. "As soon as you connect anything to the Internet, there is a hacking risk," says, Jonathan Olsson, an Ericsson security expert. 

An average car takes 5 years to go from initial development to production. Once produced, cars have an average lifespan of 11.5 years. This means the total time that a car is supported by the manufacturer from design through end-of-life is an average of 16.5 years. As Craig Smith, Research Director of Transportation Security at Rapid7 pointed out at InfoSec World in April, that is a very long time for software to go without being patched.

According to Smith, rental car companies won't do patches and in many cases, consumers won't either.

Will Rockall of KPMG Cyber Security also imagined a dark future if something isn’t done to improve the situation. “Imagine the joy of the London Olympics souring if connected cars had driven into east London and ground to a halt. Vehicles transporting high-value goods could be hijacked remotely, or the fantastical notion of rich individuals being kidnapped or their vehicles caused to crash,” says Rockall. While this may seem like science fiction, researchers have already shown it’s possible.

Why would criminals want to hack automobiles? Personal gain is a common reason for hackers to attack computers; however when they hack an automobile, it can allow them to take control of the device and cause it to make unexpected turns, stops cause traffic accidents, and much more.

"It’s inevitable that carmakers will go through the same motions as banks or retailers did in the past years, bulking up their security spending to avoid breaches that would hurt consumer confidence," said Olivier Piou, CEO of Gemalto. “Companies who have a reputation to protect can’t afford not to think about security.” 

What Happens When Cars Aren't Patched?

The Jeep Cherokee hack was done by Charlie Miller and Chris Valasek on a 2014 Jeep Cherokee. They were able to use a zero-day exploit to get wireless control of the Jeep Cherokee via the Internet. Andy Greenberg, a writer for, was behind the wheel for the test and even though he knew they were attacking, got a scary surprise. During the attack, Miller and Valasek were able to turn on the A/C, blast the radio with hip-hop music, turn the windshield wipers on, and blur the windshield with wiper fluid making it difficult to drive.

During all of these distractions, Greenberg was driving 70 mph down the highway and forced to come to a full stop in the middle of the road after the two researchers disabled his access to the vehicle’s gas pedal, transmission, and brakes. This hack was implemented via the Internet from Miller's house over 10 miles away. 

Tesla Model S 

Chinese researchers at Keen Security Laboratory were able to remotely take over two Teslas. They used a fake Wi-Fi hotspot that contained malware designed to exploit the car’s CAN Bus network. When the car came into range, they were able to take over control of the vehicle, including seats, the rear hatch, and operating the brakes.

Over The Air Patching

Tesla released over the air (OTA) software patches to fix these issues. While they were at it, they added code which requires that all future firmware updates must contain Tesla’s unique cryptographic key. This method of code signing was pushed out to all Tesla vehicles, making it harder for hackers to take over sensitive components.

According to JB Straubel, Tesla’s Chief Technical Officer, code signing should become a standard for the automotive industry. This will harden a car’s internal network and decrease the risk of future hacking attacks. “This is what the world needs to move towards otherwise the door is thrown wide open anytime anyone finds a new vulnerability,” says Straubel at

Encrypted OTA Transmissions

Some carmakers are making an effort to update their cars. There are currently 10 million vehicles that have the capability to receive encrypted OTA updates. For example, Tesla Motors, Inc is pushing updates out over the air using Wi-Fi, 3G, and 4G wireless. This allows their cars to download new functionality such as performance upgrades, self-parking, and other patches to help keep hackers out of their cars.

"Given this capability, auto manufacturers can enable vehicles to mitigate any new cyber threats without calling the cars back to the dealers. OTA updates automatically sync with connected cars to ensure all software is current at all times, helping provide future-proof security coverage, cost savings, and increased customer loyalty," says Oren Betzaleli with TechCrunch.

Encrypted OTA updates can be a way to keep our cars secure and help circumvent many cyber attacks. These updates can be used for giving GPS units up-to-date maps as well as updating vehicle diagnostics to ensure optimal performance levels.

"OTA updates make life more convenient for car owners, as well. Rather than physically bringing a vehicle to the dealership for repairs or waiting for another form of manual installation for a software update, OTA updates are instant, seamless and secure, so drivers can continue riding while upgrades are made," says Betzaleli.

Software will continue to have bugs. However, by using encrypted OTA updates, car manufacturers can protect consumers, improve their reputations, and make the roads safer for everyone at the same time.

Chris Hardee is a natural storyteller from a long line of storytellers. Growing up, he listened to my grandfather tell stories and was always mesmerized by the tales. Chris's Dad, also a storyteller, said the stories must be true because they hadn’t changed over the past 40 years.

Chris uses this gift of storytelling on a daily basis to help you take potentially boring technical content and bring it to life, allowing you to share the real benefits of your products and services with readers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.