MotorBiscuit Exclusive Interview: Expert Reveals How Safe Your Car is From Cyber Attacks
Cars are growing exponentially more complex every year. New cars and trucks can have over 100 control units and up to 3,000 computer chips. A deluge of wireless features leaves these networks vulnerable to cyber attacks. If bad actors successfully hack your car, they could steal your personal information, belongings, or even your vehicle. Drivers want to know just how vulnerable their ICE or EV is to cyber-attacks. So MotorBiscuit sat down with leading automotive cybersecurity expert, Brandon Barry, to answer some important questions.
Who is Brandon Barry, cybersecurity expert?
Brandon Barry wears multiple hats in the automotive cybersecurity world. He is the founder and CEO of Block Harbor Cybersecurity (2015-present), a company dedicated to automotive cybersecurity which has conducted extensive research in the EV space. He is also the North American Team Lead of the Automotive Security Research Group nonprofit. Previously, he tested software at Fiat Chrysler Automobiles. He has a bachelorās degree in computer science from Brown University.
After exchanging several emails, Mr. Barry agreed to an interview over Zoom. My questions are italicized and begin with āMB.ā His responses begin with āBB.ā
Keeping your vehicle secure
MB ā Any advice youād give readers to keep their vehicle secure?
BB ā I think vehicle cybersecurity is up to the automakersāthe manufacturersāto ensure vehicles are safe. People arenāt often updating their vehicles for safety. They expect that: the seatbelt, and the airbag system, the safety ratings.
Cybersecurity is really no different: Itās intended to be baked into the vehicle. And the automakers are really putting the energy into ensuring thatās the case.
That said, many people upfit their vehicle with certain connected devices. And not to say not to do that. But be consciousāwhen you are doing thatāof what type of data they are collecting and what type of risk that may be introducing to the vehicle.
There was a well-known article where one of those dongles for insuranceāwhere they monitor your driving habitsāwas able to be exploited and potentially move on to the vehicle. You just have to be careful about the things youāre introducing to your vehicle.
MB ā Any advice youād give folks when theyāre looking to purchase a new vehicle?
BB ā Generally, the auto industry is not seeking to view cybersecurity as a differentiator. Whereas (crash) safety is definitely a differentiator. Consumers do view one car as more safe than another. The industry as a whole is seeking to really treat cybersecurity as something thatās just a minimum expectation across the board. The industry, at least here in the U.S., is not seeking to rate Fordās vehicles against General Motorsā vehicles.
Itās not like that everywhere around the world: In places like the U.K. and China, they are introducing this market competitive aspect to grade the cybersecurity of vehicles, which would influence consumer choices around the cybersecurity of cars. But generally speaking, consumers should be able to expect that a vehicle is secured with the best corporate diligence, due to the regulations that are going into effect globally.
Do electric vehicles pose an increased cybersecurity threat?
MB ā Are electric vehicles (EVs) as secure as internal combustion engine (ICE) vehicles?
BB ā In general, EVs are mechanically simpler because they have less moving parts. In many cases, this has allowed automakers to centralize their EVās electronic architecture which can make securing it easier. But make no mistake ā more software and more electronics are entering into all vehicles, electric or not.
In the end ā whether EV or ICE ā what is increasing the attack surface of vehicles is the integration of new technologies. Controlling your vehicle from your phone, new autonomy features, and the integration of internet-connected apps all introduce new risks to any type of vehicle.
MB ā Any makes or models you are concerned about?
BB ā Companies like Ford are pivoting rapidly to keep up with companies like Tesla, that are quickly gaining market share. We (Block Harbor) were very curious to the cybersecurity of a vehicle like the Mach-E, which was rushed to market very quickly. They took a lot of their traditional ICE components and kind of glued it together to be an EV. A lot of the teardowns of the Mach-E show the types of rushed decision that were made to yield that vehicle.
So, we purchased a 2021 Mach-E as soon as they came out. We took a look at the different modules within itāthe cybersecurity of them. In the end, there was nothing that was obviously skipped in the cybersecurity of the vehicle due to the transition to the EV. Ford did a pretty good job at ensuring that that EV inherited a lot of the cybersecurity efforts from the previous vehicles.
Now, I will caveat that a little bit. Companies like Ford, General Motors, Stellantisāwho are pivoting to EVsāthey get to inherit a lot of this stuff, as I just mentioned.
Newer EV companies are in a different position entirely, because they are not inheriting a bunch of legacy stuff. They are building stuff from the ground up. And one of the concerns that we see across the space is that newer EVs are being rushed to market. Their motives are to get these EVs out the door as fast as possible, to stay relevant, to capture market share. That gives them the legitimacy that controls their stock price, etc. And in doing so, there is a concern that things like cybersecurityāthat tend to slow down the development process and delivery of those vehiclesācan be overlooked.
MB ā Whatās the likelihood of an EV picking up malware through its charger?
BB ā Generally speaking, the industry is viewing the charging system as already compromised. And theyāre taking very defensive strategies against the charger port. Itās much like they already protect the diagnostic port within the vehicle: Many times you canāt just plug into that anymore and read traffic from all over the vehicle because there is some segmenting to isolate it and institute some security to ensure that itās not full access to the vehicle. The same type of segmenting is going into effect for the charger port. I canāt speak for all OEMs. But many of Block Harborās customers operate with that kind of mentality and security architecture. They treat the charger port as unsafe.
I will say there are other attacks around EVs that may be much more concerning. With EVs, we are looking at large scale charger networks. The chargers themselves, the EVSEs themselves, are many times in various different security states. Whether its Electrify America, or whether itās a Tesla charging station, or another, there are many different chargers hitting the market in all different security postures. A bigger security concern is that, āWhat if a charging network was held for ransom.ā It would be kind of like if a gas stationāor all the Mobile gas stations near youāwere taken offline and you couldnāt get gas from those stations. Weāre seeing this huge pivot toward EV, with a strong reliance on these charging networks. And where thereās that type of reliance, and lack of security, and many parties involved, Iām concerned. Iām generally more concerned about the chargers themselves than someone moving laterally into the vehicle.
Cybersecurity vs your Right to Repair
MB ā How risky is wireless OBD, in either ICEs or EVs?
BB ā While looking at a lot of automotive designs, we havenāt really seen that to be a big trend in the space. There would be concern with any wireless attack surface being introduced to the vehicle. But the OEMs have the right mindset, in that they are viewing these types of interfaces that many technicians use, that may get a lot of foot traffic, as āHey, maybe we should slow down and really consider what someoneās able to do with this type of interface.ā Theyāve really come to take seriously the risks of these types of wireless attack surfaces in a car.
MB ā Youāre both a cybersecurity expert and an automotive enthusiast; any thoughts on the balance between Right to Repair and cybersecurity?
BB ā All the automakers are tasked with following the laws of Right to Repair, while also making their vehicles more secure. And that often means ensuring that thereās a pathway to authenticate aftermarket tools so that they can properly diagnose and collect data from the vehicle. Automakers are standing up security infrastructure so aftermarket shops can still do that stuff while still benefiting from some of the security aspects.
These are things like authentication methods, where an aftermarket shop needs to register with a third party and then they can keep track of whoās using the system. The diagnostic systems are no longer sitting offline on a PC where you donāt need an internet connection because the car comes in and they diagnose it. Itās all going online where they can keep a much closer watch on the types of cybersecurity events that they may be concerned about.
But think about how complex vehicles are getting: Whether itās the repair of EVs, which require some specialty equipment and specialty knowledge which traditional repair shops are not set up for. And especially when we get into autonomy, where weāre thinking about complex systems made up of cameras, that are making decisions in the vehicle, that ultimately influence passenger safety. Cybersecurity of an autonomous vehicle is so intertwined with safety. The designers of these systems need to be sure that everythingās working as intendedāand that the corresponding fail safes are there to ensure that that vehicle remains safe throughout the life of the vehicle. And to do that, you kind of donāt want anyone modifying the systems that are keeping the passengers safe. So, today what weāre seeing is a lot of systems being stood up to support Right to Repair. But it may be safer, when vehicles become fully autonomous, if those systems stay in a known state. Especially when theyāre making safety decisions.
MB ā If an automaker were to say, āOnly dealers can access telematicsā would you call āBull!ā or would you say, āThatās good security.ā?
BB ā In the scenario where cars take a route of being very focused on mobility, versus serving the enthusiast crowd, I see a divergent path.
I love cars. I have a drift car. I have a road racing car. This is why I started a company in Detroit. Itās why I work on this stuff every day. Itās not so that I take cars and make it so I never need to use them again.
We have this future of focusing on getting people around, and we have this (other) future of cars, and enthusiasts, and enthusiasm around the car. There would never be an enthusiast of an autonomous vehicle, because theyāre not driving them. As we think full autonomy. That is getting much more into taxi services, stuff like that. So, I think itās a complex situation to be in.
I think personally, I love to be able to modify my own stuff. And I love to be able to say, āHey, yeah, I purchased this and this is mine, and I want to be in control of something that I own.ā So, I would call ābullā if I owned it. If it was something like a network of Uber for example, of robo-taxis that I donāt own, Iād say, āNo, I actually want that to be as secure as possible. Iād like to know that itās in a known state, not that a whole bunch of people are modifying it.ā
MB ā Any other comments for enthusiasts?
BB ā Thereās often a concern around things like tuning of vehicles. You have the engineers at GM doing everything they can to lock down the Corvette module and encrypt it, and stuff like that. And then you have the tuning crowd saying, āMan I really want this Corvette, but I canāt. I wonāt be able to modify anything, and I donāt like that.ā
The automakers are thinking seriously about how to enable some of these modifications, and some of these types of tuning applications, so that people can love, enjoy, and modify their vehiclesāwhile making them better and more effectiveāto serve that audience. I think we will exit the era of car hacking and tuning in the way we traditionally think about it, and enter an era where the automakers become much more focused on that enthusiast crowd, and what theyāre asking for. So, rather than try to defend against them, working with them to enable some of those things that people want. And in the end, I think that is because companies like Tesla are listening to their audience. Theyāre saying, āYou want this feature? Yeah, weāll build it in the next two weeks. And weāll launch that.ā And I think that all the autos need to take that into account. Versus, going against their target market, and rubbing them the wrong way. Weāre entering an era where all the car companies really need to cater to that audience.
MB ā Is there a tech or a feature on the horizon that youāre giddy about?
BB ā Drift mode in the new Mustangs. You know that people are going to go and beat the heck out of their car, and honestly, use it for what theyāre buying it for. Versus, the whole mentality of, āNo, weāre going to void your warranty.ā
Putting that technology in the car is saying, āLook guys, go have fun with your vehicle. Weāll enable this type of stuff. And weāll support it.ā
People want to have fun with their vehicles. They want to love their vehicle. And with the price tag of vehicles increasing exorbitantly, you have to ask, āWhy am I paying the price of a small house for a car that ultimately doesnāt have any of the features I wish it had.ā
Iāll give you an example of a piece of tech thatās missing from a lot of vehicles that really drives me insane. Many modern cars have all these cameras around them. But very few of the automakersāwith the exception of Teslaāhave a sentry mode, or dash cams, that facilitate some of the features. You know, you have tons of people who buy cars and stick a dashcam in it. So Iām buying a car with 20 cameras around it and I still have to stick a dashcam in it. Itās a little crazy to me.
Closing thoughts
MB ā Do you have any closing thoughts?
BB ā I want to emphasize that the automakers are taking cybersecurity very seriously. This isnāt something thatās going under the radar. There are global regulations going into effect that are really setting the bar for what the cybersecurity of vehicles should look like. And thereās not an automaker out there thatās not seriously looking at this, and ensuring that passenger arenāt going to be exploited. I just want to make sure that Iām not communicating the message that cars are hackable or to be afraid of your car. Itās a really serious topic.
MB ā Cyber attacks could be described as a kind of new World War.
BB ā Yeah, I know. Definitely the cyber front will be where a lot of international warfare happens, a lot of tinkering with each otherās infrastructure, seeing what they can get away with. Itās definitely a reality weāre going to have to face.
MB ā I know youāre busy, so thank you very much for your time.
Next, find out how cybersecurity experts hacked a Tesla just to prove it could be done, or see how hackers might target charging stations in the video below: