In your garage or driveway sits a machine with more lines of code than a passenger jet. Today's cars and trucks with an internet link can report the weather, pay for gas, find a parking spot, route around traffic jams and tune in radio stations from around the world. Soon they will speak to one another and alert you to sales as you pass your favorite stores, and one day they will even drive themselves.
While consumers love the features, hackers love them even more. And that is keeping many in the auto industry awake at night, worried about how they can stay one step ahead of those who could eventually wreak havoc with the world's private transport systems.
Hackers seemingly cannot wait for the opportunity to commandeer vehicles. In 2019, automotive cybersecurity company Karamba Security posted a fake vehicle electronic control unit online. In less than three days, 25,000 breach attempts were made, and one succeeded.
The best-known vehicle takeover occurred in 2015 when security researchers on a laptop 10 miles away caused a Jeep Cherokee to lose power, change its radio station, turn on the windshield wipers and blast cold air. Jeep's parent company recalled 1.4 million vehicles to fix the vulnerability.
Today, the effects of a breach could range from mildly annoying to catastrophic. A hacker could steal a driver's personal data or eavesdrop on phone conversations. Nefarious code inserted into one of a vehicle's electronic control units could cause it to suddenly speed up, shut down or lose braking power.
A fleet of cars could be commandeered and made to steer erratically, potentially causing a major accident. A hacked electric vehicle could shut down the power grid once the car was charging. Even altering a street sign in ways imperceptible to the eye can trick a car into misperceiving a stop sign as a speed limit sign.
"To take control of a vehicle's direction and speed: This is what everyone in the industry is worried about," said Ami Dotan, Karamba's chief executive. "And everyone is aware this could happen."
The danger is growing
According to a McKinsey & Co. report on automotive cybersecurity, modern vehicles employ around 150 electronic control units and about 100 million lines of code; by 2030, with the advent of autonomous driving features and so-called vehicle-to-vehicle communication, the number of lines of code may triple.
Compare that with a modern passenger jet with just 15 million lines of code or a mass-market PC operating system with around 40 million lines of code, and the complexities become clear.
Cybersecurity companies must protect a vehicle in many ways. Threats include SIM cards carrying malicious code, faked over-the-air software updates, code sent from a smartphone to the vehicle, and vehicle sensors and cameras being tricked with wrong information.
"It's just a matter of time before a major hack happens," said Moshe Shlisel, chief executive of GuardKnox Cyber Technologies. "The most secure vehicle is a Model T Ford, because it's not connected to anything."
Vehicle electronic control units are being designed to send an alert if a system that normally never communicates with another suddenly tries to do so. And they also are locked down so that an attempt to inject new code will be thwarted.
"Human life is involved, so cybersecurity is our top priority," said Kevin Tierney, General Motors' vice president for global cybersecurity.
Still, determined hackers will eventually find a way in, experts say. If the U.S. government could not prevent Russia from hacking into its computers, can vehicle manufacturers do a better job?
"I'm very used to the doom-and-gloom narrative, and I would caution against it," said Gundbert Scherf, a McKinsey partner. "We still have enough time to shape the narrative."