MotorBiscuit Exclusive Interview: Expert Reveals How Safe Your Car is From Cyber Attacks
Cars are growing exponentially more complex every year. New cars and trucks can have over 100 control units and up to 3,000 computer chips. A deluge of wireless features leaves these networks vulnerable to cyber attacks. If bad actors successfully hack your car, they could steal your personal information, belongings, or even your vehicle. Drivers want to know just how vulnerable their ICE or EV is to cyber-attacks. So MotorBiscuit sat down with leading automotive cybersecurity expert, Brandon Barry, to answer some important questions.
Who is Brandon Barry, cybersecurity expert?
Brandon Barry wears multiple hats in the automotive cybersecurity world. He is the founder and CEO of Block Harbor Cybersecurity (2015-present), a company dedicated to automotive cybersecurity which has conducted extensive research in the EV space. He is also the North American Team Lead of the Automotive Security Research Group nonprofit. Previously, he tested software at Fiat Chrysler Automobiles. He has a bachelor’s degree in computer science from Brown University.
After exchanging several emails, Mr. Barry agreed to an interview over Zoom. My questions are italicized and begin with “MB.” His responses begin with “BB.”
Keeping your vehicle secure
MB – Any advice you’d give readers to keep their vehicle secure?
BB – I think vehicle cybersecurity is up to the automakers–the manufacturers–to ensure vehicles are safe. People aren’t often updating their vehicles for safety. They expect that: the seatbelt, and the airbag system, the safety ratings.
Cybersecurity is really no different: It’s intended to be baked into the vehicle. And the automakers are really putting the energy into ensuring that’s the case.
That said, many people upfit their vehicle with certain connected devices. And not to say not to do that. But be conscious–when you are doing that–of what type of data they are collecting and what type of risk that may be introducing to the vehicle.
There was a well-known article where one of those dongles for insurance–where they monitor your driving habits–was able to be exploited and potentially move on to the vehicle. You just have to be careful about the things you’re introducing to your vehicle.
MB – Any advice you’d give folks when they’re looking to purchase a new vehicle?
BB – Generally, the auto industry is not seeking to view cybersecurity as a differentiator. Whereas (crash) safety is definitely a differentiator. Consumers do view one car as more safe than another. The industry as a whole is seeking to really treat cybersecurity as something that’s just a minimum expectation across the board. The industry, at least here in the U.S., is not seeking to rate Ford’s vehicles against General Motors’ vehicles.
It’s not like that everywhere around the world: In places like the U.K. and China, they are introducing this market competitive aspect to grade the cybersecurity of vehicles, which would influence consumer choices around the cybersecurity of cars. But generally speaking, consumers should be able to expect that a vehicle is secured with the best corporate diligence, due to the regulations that are going into effect globally.
Do electric vehicles pose an increased cybersecurity threat?
MB – Are electric vehicles (EVs) as secure as internal combustion engine (ICE) vehicles?
BB – In general, EVs are mechanically simpler because they have less moving parts. In many cases, this has allowed automakers to centralize their EV’s electronic architecture which can make securing it easier. But make no mistake – more software and more electronics are entering into all vehicles, electric or not.
In the end — whether EV or ICE — what is increasing the attack surface of vehicles is the integration of new technologies. Controlling your vehicle from your phone, new autonomy features, and the integration of internet-connected apps all introduce new risks to any type of vehicle.
MB – Any makes or models you are concerned about?
BB – Companies like Ford are pivoting rapidly to keep up with companies like Tesla, that are quickly gaining market share. We (Block Harbor) were very curious to the cybersecurity of a vehicle like the Mach-E, which was rushed to market very quickly. They took a lot of their traditional ICE components and kind of glued it together to be an EV. A lot of the teardowns of the Mach-E show the types of rushed decision that were made to yield that vehicle.
So, we purchased a 2021 Mach-E as soon as they came out. We took a look at the different modules within it–the cybersecurity of them. In the end, there was nothing that was obviously skipped in the cybersecurity of the vehicle due to the transition to the EV. Ford did a pretty good job at ensuring that that EV inherited a lot of the cybersecurity efforts from the previous vehicles.
Now, I will caveat that a little bit. Companies like Ford, General Motors, Stellantis–who are pivoting to EVs–they get to inherit a lot of this stuff, as I just mentioned.
Newer EV companies are in a different position entirely, because they are not inheriting a bunch of legacy stuff. They are building stuff from the ground up. And one of the concerns that we see across the space is that newer EVs are being rushed to market. Their motives are to get these EVs out the door as fast as possible, to stay relevant, to capture market share. That gives them the legitimacy that controls their stock price, etc. And in doing so, there is a concern that things like cybersecurity—that tend to slow down the development process and delivery of those vehicles—can be overlooked.
MB – What’s the likelihood of an EV picking up malware through its charger?
BB – Generally speaking, the industry is viewing the charging system as already compromised. And they’re taking very defensive strategies against the charger port. It’s much like they already protect the diagnostic port within the vehicle: Many times you can’t just plug into that anymore and read traffic from all over the vehicle because there is some segmenting to isolate it and institute some security to ensure that it’s not full access to the vehicle. The same type of segmenting is going into effect for the charger port. I can’t speak for all OEMs. But many of Block Harbor’s customers operate with that kind of mentality and security architecture. They treat the charger port as unsafe.
I will say there are other attacks around EVs that may be much more concerning. With EVs, we are looking at large scale charger networks. The chargers themselves, the EVSEs themselves, are many times in various different security states. Whether its Electrify America, or whether it’s a Tesla charging station, or another, there are many different chargers hitting the market in all different security postures. A bigger security concern is that, ‘What if a charging network was held for ransom.’ It would be kind of like if a gas station—or all the Mobile gas stations near you—were taken offline and you couldn’t get gas from those stations. We’re seeing this huge pivot toward EV, with a strong reliance on these charging networks. And where there’s that type of reliance, and lack of security, and many parties involved, I’m concerned. I’m generally more concerned about the chargers themselves than someone moving laterally into the vehicle.
Cybersecurity vs your Right to Repair
MB – How risky is wireless OBD, in either ICEs or EVs?
BB – While looking at a lot of automotive designs, we haven’t really seen that to be a big trend in the space. There would be concern with any wireless attack surface being introduced to the vehicle. But the OEMs have the right mindset, in that they are viewing these types of interfaces that many technicians use, that may get a lot of foot traffic, as ‘Hey, maybe we should slow down and really consider what someone’s able to do with this type of interface.’ They’ve really come to take seriously the risks of these types of wireless attack surfaces in a car.
MB – You’re both a cybersecurity expert and an automotive enthusiast; any thoughts on the balance between Right to Repair and cybersecurity?
BB – All the automakers are tasked with following the laws of Right to Repair, while also making their vehicles more secure. And that often means ensuring that there’s a pathway to authenticate aftermarket tools so that they can properly diagnose and collect data from the vehicle. Automakers are standing up security infrastructure so aftermarket shops can still do that stuff while still benefiting from some of the security aspects.
These are things like authentication methods, where an aftermarket shop needs to register with a third party and then they can keep track of who’s using the system. The diagnostic systems are no longer sitting offline on a PC where you don’t need an internet connection because the car comes in and they diagnose it. It’s all going online where they can keep a much closer watch on the types of cybersecurity events that they may be concerned about.
But think about how complex vehicles are getting: Whether it’s the repair of EVs, which require some specialty equipment and specialty knowledge which traditional repair shops are not set up for. And especially when we get into autonomy, where we’re thinking about complex systems made up of cameras, that are making decisions in the vehicle, that ultimately influence passenger safety. Cybersecurity of an autonomous vehicle is so intertwined with safety. The designers of these systems need to be sure that everything’s working as intended–and that the corresponding fail safes are there to ensure that that vehicle remains safe throughout the life of the vehicle. And to do that, you kind of don’t want anyone modifying the systems that are keeping the passengers safe. So, today what we’re seeing is a lot of systems being stood up to support Right to Repair. But it may be safer, when vehicles become fully autonomous, if those systems stay in a known state. Especially when they’re making safety decisions.
MB – If an automaker were to say, ‘Only dealers can access telematics’ would you call ‘Bull!’ or would you say, ‘That’s good security.’?
BB – In the scenario where cars take a route of being very focused on mobility, versus serving the enthusiast crowd, I see a divergent path.
I love cars. I have a drift car. I have a road racing car. This is why I started a company in Detroit. It’s why I work on this stuff every day. It’s not so that I take cars and make it so I never need to use them again.
We have this future of focusing on getting people around, and we have this (other) future of cars, and enthusiasts, and enthusiasm around the car. There would never be an enthusiast of an autonomous vehicle, because they’re not driving them. As we think full autonomy. That is getting much more into taxi services, stuff like that. So, I think it’s a complex situation to be in.
I think personally, I love to be able to modify my own stuff. And I love to be able to say, ‘Hey, yeah, I purchased this and this is mine, and I want to be in control of something that I own.’ So, I would call ‘bull’ if I owned it. If it was something like a network of Uber for example, of robo-taxis that I don’t own, I’d say, ‘No, I actually want that to be as secure as possible. I’d like to know that it’s in a known state, not that a whole bunch of people are modifying it.’
MB – Any other comments for enthusiasts?
BB – There’s often a concern around things like tuning of vehicles. You have the engineers at GM doing everything they can to lock down the Corvette module and encrypt it, and stuff like that. And then you have the tuning crowd saying, ‘Man I really want this Corvette, but I can’t. I won’t be able to modify anything, and I don’t like that.’
The automakers are thinking seriously about how to enable some of these modifications, and some of these types of tuning applications, so that people can love, enjoy, and modify their vehicles—while making them better and more effective–to serve that audience. I think we will exit the era of car hacking and tuning in the way we traditionally think about it, and enter an era where the automakers become much more focused on that enthusiast crowd, and what they’re asking for. So, rather than try to defend against them, working with them to enable some of those things that people want. And in the end, I think that is because companies like Tesla are listening to their audience. They’re saying, ‘You want this feature? Yeah, we’ll build it in the next two weeks. And we’ll launch that.’ And I think that all the autos need to take that into account. Versus, going against their target market, and rubbing them the wrong way. We’re entering an era where all the car companies really need to cater to that audience.
MB – Is there a tech or a feature on the horizon that you’re giddy about?
BB – Drift mode in the new Mustangs. You know that people are going to go and beat the heck out of their car, and honestly, use it for what they’re buying it for. Versus, the whole mentality of, ‘No, we’re going to void your warranty.’
Putting that technology in the car is saying, ‘Look guys, go have fun with your vehicle. We’ll enable this type of stuff. And we’ll support it.’
People want to have fun with their vehicles. They want to love their vehicle. And with the price tag of vehicles increasing exorbitantly, you have to ask, ‘Why am I paying the price of a small house for a car that ultimately doesn’t have any of the features I wish it had.’
I’ll give you an example of a piece of tech that’s missing from a lot of vehicles that really drives me insane. Many modern cars have all these cameras around them. But very few of the automakers—with the exception of Tesla—have a sentry mode, or dash cams, that facilitate some of the features. You know, you have tons of people who buy cars and stick a dashcam in it. So I’m buying a car with 20 cameras around it and I still have to stick a dashcam in it. It’s a little crazy to me.
MB – Do you have any closing thoughts?
BB – I want to emphasize that the automakers are taking cybersecurity very seriously. This isn’t something that’s going under the radar. There are global regulations going into effect that are really setting the bar for what the cybersecurity of vehicles should look like. And there’s not an automaker out there that’s not seriously looking at this, and ensuring that passenger aren’t going to be exploited. I just want to make sure that I’m not communicating the message that cars are hackable or to be afraid of your car. It’s a really serious topic.
MB – Cyber attacks could be described as a kind of new World War.
BB – Yeah, I know. Definitely the cyber front will be where a lot of international warfare happens, a lot of tinkering with each other’s infrastructure, seeing what they can get away with. It’s definitely a reality we’re going to have to face.
MB – I know you’re busy, so thank you very much for your time.
Next, find out how cybersecurity experts hacked a Tesla just to prove it could be done, or see how hackers might target charging stations in the video below: