Industry ‘ignoring' threats, hacker says

TEL AVIV, Israel — Automakers should stop treating cybersecurity researchers as adversaries and instead consider them collaborators.

So says David Colombo, the teen hacker who exploited flaws in third-party software that allowed him to access approximately two dozen Tesla vehicles this year.

His hack spotlighted vulnerabilities that let him open and close car doors and honk the horns. While speaking at EcoMotion, the annual Israeli innovation and mobility conference held this month, he implored others in the auto industry to remember that this is not a Tesla-specific problem.

"Automakers are consciously ignoring vehicle security vulnerabilities, and this puts all car users and [pedestrians] in serious danger," said Colombo, who founded his own cybersecurity tech firm. "The fact is that I, as a 19-year-old with free time, was able to hack into a Tesla quite easily. Like me, there are a lot of hackers who can do that."

His sentiments run counter to a prevailing notion that the auto industry has gotten its act together since white-hat cyber researchers commandeered remote control of a Jeep Cherokee in 2015. That exploit caught the attention not only of the auto industry but also the Defense Department.

In many ways, the industry has responded. It established the Automotive Information Sharing and Analysis Center in which government, industry and academic representatives gather and share insights on known risks. Several automakers have organized bug-bounty programs so researchers such as Colombo can share the vulnerabilities they find.

Governments have responded as well. In July, new European Union regulations surrounding vehicle software and over-the-air updates go into effect, designed to reduce the risks introduced into passenger vehicles.

Those have ushered in a pivot around automotive cybersecurity, from thinking about it as something that happens aboard a vehicle to thinking about cybersecurity throughout a vehicle's lifetime, according to Roy Fridman, CEO at C2A Security, a Jerusalem-based cybersecurity startup.

"The new regulation actually means 'we require you to have a cyber life cycle management system in your vehicle,' and it comes from the understanding that cyber is a living thing and that new weaknesses are constantly being discovered," he said.

Still, many believe the industry can do more to thwart cyberthreats. And it's not just third-party researchers or startups that see flaws.

"The automotive industry lags behind other industries," said Shaya Feedman, cybersecurity weakness researcher at Faurecia Security Technologies, a subsidiary of the global supplier.

"If I find a security vulnerability in a technology company's software, not only am I encouraged to disclose it to them, they even reward me to and rush to fix the loophole. The automotive industry is not used to working in a collaborative mode. The rest of the world is much more collaborative."

Faurecia started its cybersecurity unit with 60 employees in 2019, and Feedman said the team has identified thousands of vulnerabilities in nearly every vehicle model to date. These gateways could allow hackers to penetrate critical safety systems, such as braking, engine systems and steering control.

At a time when electric vehicle sales are increasing, he warns there are new complications.

"There is a clear and immediate danger that the auto industry is knowingly ignoring," Feedman said. "In electric vehicles, they can break into the battery and turn it into a bomb."

With a rush toward electrification as governments and industries seek to decarbonize, the cyberthreat extends beyond automotive.

"One must look at the big picture and understand that it is not just vehicles, but mobility in general," Colombo said.

"Cars and planes and ships. ... Security researchers are aware of the problem, but the general public does not pay attention to it."