for years Tesla has offered its users the ability to increase the capacity of their car batteries remotely. And in the not too distant future, the customer will be able to ask the brand for their car to have 4×4 electric traction for a weekend, because it will go up into the snow, and to return it to normal settings on Monday. Now let’s think that a ‘hacker’ connects to either of those two vehicles and overrides those orders.
The first could cause us a disorder the second, ending in an accident, and they are not speculations. According to the American NHTSA, in 2015 1.5 million vehicles were already recalled in the country for cybersecurity failures. Only a year before, some computer scientists proved capable of opening a vehicle remotely but also of taking the controls of it while in motion. It was the sample button the Spanish consultancy Eurocybcar assures that since 2012 more than 400 computer attacks have been documented that affected cars from 43 brands around the world.
It is the hidden face of the connected and increasingly autonomous car, responsible for our comfort and safety based on an increasing exchange of information and data with other vehicles, with the manufacturer, and with the infrastructure. Although the weak side can also be our smartphone, which already helps us to give orders turn on the heating, open the doors or start it.
To end this vulnerability, the UN approved in June 2020 a regulation that will force all cars to have a cybersecurity certificate. They have not adopted it in the US, but Japan, South Korea, and the EU, where it came into force on January 1. It will not be mandatory for the approvals of new models until July 2022 and in July 2024, no car that does not have this certification will be sold. It affects cars, vans, buses, trucks, motorhomes, and trailers, the latter provided they carry some electronic control.
Although brands have been at work for some time, often hiring white hackers to discover the flaws, the task seems daunting. The rule requires them to create a protocol that guarantees protection against 70 threats of all kinds. From an attack to the cloud to which the car is connected, the possibility of acting on its behavior, the theft of data, or those that can take advantage of the frequent software updates carried out by manufacturers.
Also, this protection must cover the design process of the vehicle and its components until the end of its useful life. A complex scenario, as illustrated by two facts: on the one hand, the 150 switchboards and 100 million lines of computer code four times more than a combat fighter that a modern car has on the other hand, that the danger may be hidden in something as simple as the music that we download through a pen drive.
The most shocking thing is that neither the UN nor the EU has set the measures to be taken by the manufacturers or the tests to pass to be qualified. Nor who should carry them out. Only that validation will have to be carried out by an independent body, not the manufacturer on its own. This is the case of Eurocybcar, whose managers claim to have developed a test protocol that responds to the 70 threats to combat.
We are not aware, at an international level, that there is another company that has achieved it, says Jose Guerreira, head of regulations and legislation. It also points out that its procedures confidential like the military ones are backed by Aenor and go hand in hand with the Ministry of Industry. But no one can guarantee that the cars will be 100% protected. Breaking through the current defenses is just a matter of will, time, and money.
That is why the certifications will last three years and then they will have to be renewed. We are about to complete the international patent for the procedure says Azucena Hernandez, CEO of the company. And the first certified vehicles will be a car, a truck, and a bus made in Spain. In the absence of more precise legislation.
It seems that the task will fall on a few independent bodies that demonstrate the solvency of their examinations and that could, in turn, be subject to external audits, that is, in the same way as is done now with technical and consumption approvals. In fact, violating these or those related to cybersecurity will be punished with the same penalty of up to 30,000 euros per car sold and even the withdrawal of that model from the market.