The auto industry is downplaying the immediate risk of car hacking after a report about a cyberintruder's use of GPS trackers that allowed him to monitor the location of thousands of vehicles in commercial fleets and turn off their engines.
"Hacking is not like you see it on TV," said Gloria Bergquist, a spokeswoman for the Alliance of Automobile Makers. But she said automakers take the threat seriously and are focusing more and more effort on shielding vehicles' computer systems from possible intruders.
"Vehicles are highly complex with multiple layers of security, and remote access is exceedingly difficult by design," Bergquist said in an email. "New cars being launched now have an exponential increase in cybersecurity. Automakers are collaborating in all areas possible, including hardware, software and knowledge sharing with suppliers, government and the research community."
Motherboard reported last week that the hacker - who was identified only by the handle L&M - cracked more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts that some companies use to manage their commercial fleets through GPS signals.
The hack allowed L&M to not only track vehicles in a small number of foreign countries, including India and the Philippines, but shut down the engines of vehicles that were stopped or traveling 12 mph or slower, the site reported. The hacker told the news organization that he also was able to access information on the users from their accounts. Motherboard said it verified the hacker's claims by contacting people whose accounts had been breached.
The report - though involving apps in use by fleet companies in a few foreign countries - offers a reminder of a potential downside to the leap forward in technology that has made it easier than ever to go from one place to another. It also comes as automakers cram more and more high-tech systems into vehicles such as driver-assist technology on the way to building autonomous vehicles that will one day drive themselves.
Much of the problem has focused on keyless locking and ignition systems, which can be vulnerable to interception. The German General Automobile Club, or ADAC, reported that 230 of 237 model cars it tested had keyless starting and locking devices that were vulnerable to theft, the BBC says. The most common method - known as a "relay hack" - involves using wireless transmitters to extend the range of the electronic key fob: thieves hold the transmitter near the window of the target's house and project the fob's signal, thereby tricking the vehicle's sensors into thinking the fob is closer to the vehicle than it is.
AAA says most relay hacks target property inside the vehicles, not the vehicles themselves, because once the car is moved beyond the ordinary range of the fob (about 3 feet), the vehicle cannot be restarted again. But AAA also says the extent of such thefts isn't known.
In the meantime, automakers say their engineers have made IT security a priority. Computer-based systems that control the vehicle or contribute to its safe operation are walled off from communications and navigations systems. The industry also says it uses simulated attacks to test the safety. In 2015, Fiat Chrysler voluntarily recalled 1.4 million vehicles after security researchers, using pathways in onboard entertainment systems, discovered a way to disable a Jeep Cherokee's brakes and steering while the car was on the highway.
The Detroit Free Press last year profiled such a hacker who serves as a legal and technical consultant for auto manufacturers and other industries. As a "white hat" researcher, the hacker was paid to find flaws in onboard computer systems that might allow him to render certain parts of the vehicle useless or simply make it seem as if the car was always in need of service.
The industry in 2015 also set up the Information Sharing and Analysis Center with 49 automakers and suppliers to develop guidelines on cybersecurity.
Bergquist, the spokeswoman for the Auto Alliance, said consumers can also play a part by exercising good cybersecurity practices in whatever they do, including pairing a smartphone with a car. She also urged people to delete phone data from rental cars if the phones were paired with the rental vehicle, and to follow regular schedules for maintenance and software updates.
"There are a lot of players out there who want to access your car's data for their own gain," she said.