Self-driving security: How Detroit leads the way in automotive cybersecurity


This feature is courtesy of Driven, the story of how the Detroit region is leading the world in next-generation mobility.
A hacker takes control of an autonomous car and forces it to do his or her bidding, flaunting the wishes of a car owner who may or may not be in the vehicle at the time. We've seen images like this in pop culture like last summer's blockbuster "The Fate of the Furious," and cybersecurity expert André Weimerskirch says they're what most people think of when they imagine cyber threats to vehicles.

But Weimerskirch, who is the co-chair of the cybersecurity working group at Mcity, the University of Michigan's (U-M) testing facility for connected and autonomous vehicles, and vice president of cybersecurity for Lear Corporation, believes that sort of attack is quite low on a very long list of priorities for hackers as connected and autonomous vehicles proliferate. He says hackers are typically motivated by financial gain, and remotely taking the wheel of someone else's car doesn't provide much opportunity for that.

The burgeoning world of connected and autonomous vehicles, however, does provide hackers a plethora of more lucrative opportunities, ranging from stealing credit card information from a vehicle to abusing vehicle-to-infrastructure systems to break into a car owner's garage or house.

Fortunately, though, Weimerskirch is just one of many in Metro Detroit's automotive cybersecurity sector who are working feverishly to prepare defenses against such attacks.

"I believe hackers are very smart, and they have a huge advantage," Weimerskirch says. "They only need to come up with one idea, one attack, where we, the defenders, need to foresee all possible ways we could be affected."

The slow rise of automotive cybersecurity

Automotive cybersecurity is hugely important, but it's also a relatively new industry for obvious reasons.

"If you think about the vehicles we had even five years ago, none of them had WiFi connections," says Eric Cesa, general manager of the Americas for ETAS, parent company to cybersecurity company ESCRYPT, which has an Ann Arbor office. "They weren't connected to the infrastructure, so to speak. They were their own single node in the end."

Weimerskirch says cybersecurity first appeared on automakers' radars with the advent of remote door-unlock technology. But for a long time, it was far from a pressing concern. Awareness of the increasing need for automotive cybersecurity grew when University of California, San Diego researchers wirelessly hacked into a Chevy Impala in 2010.

The topic entered even more into the public consciousness when researchers Charlie Miller and Chris Valasek wirelessly took control of a Jeep Cherokee in 2015. As of the last five to six years, Weimerskirch says, "there's a very different sensitivity around this topic where everyone takes it seriously."

Weimerskirch says those working in automotive cybersecurity have "lots and lots of open challenges" to address. A 2016 National Highway Traffic Safety Administration report broke those challenges into four broad groups: protecting against hacks, detecting hacks once they've successfully infiltrated a system, responding to mitigate the effects of successful hacks, and assessing and widely disseminating solutions.

Ami Dotan says that after overcoming an initial learning curve, the auto industry is now working on "fast forward" to tackle those problems. Dotan is the CEO and co-founder of Karamba Security, an Israeli cybersecurity firm with offices in Bloomfield Hills and Detroit. He says automakers are now fully aware that cybersecurity and safety are inseparable.

"Any mistake, any one time, any wrong read of the command, may mean people's lives are at stake," he says. "So this became a catalyst for cybersecurity solution thinking. The interest is great, the involvement is great."

"Michigan is leading"

Ami Dotan, cybersecurity professional with Karamba - photo by Nick Hagen

What's more, that interest and involvement is very much centered in the Detroit area. Dotan originally opened an Ann Arbor office so he could be closer to U-M, but then opened offices in Bloomfield Hills and at the PlanetM Landing Zone in downtown Detroit in order to be closer to automakers and Tier 1 auto suppliers. He relocated here from Israel in 2016 and says he appreciates the close, personal access he now has to Detroit's automotive community.

"Michigan is leading," he says. "Why is that? Because in Silicon Valley, these other automakers ... cooperate very little. They try to do everything by themselves, in-house. There is not much of a community around the subject, where here there is much more involvement and sharing when it comes to cybersecurity."

Matt Fanto says that's thanks to Detroit's status as the birthplace and longstanding center of America's auto industry. Fanto is a senior application safety engineer at Ann Arbor cybersecurity firm Duo Security, and he's previously worked on cybersecurity projects for Ford, Chrysler, and ESCRYPT. He says automotive cybersecurity is quite different from any other type of cybersecurity in that personal safety is paramount, and Detroit's auto industry understands that.

"The automotive industry has such a huge focus on things like quality and safety and reliability," he says. "I think the expertise in that ... places Detroit in a better position than some of those traditional hubs."

Kettering University president Robert McMahan echoes that sentiment, noting that Detroit's auto industry has long had to adhere to much higher standards of safety than most.

"People can't have the OS of their car crash and hang while they are driving," he says. "It has to work every time flawlessly or people get hurt or killed. That's the significant difference, and Michigan is in an enormous position of advantage."

What's next?

Now that industry interest in automotive cybersecurity has ramped up, with expertise concentrated in metro Detroit, local activity and energy in the sector are extremely high.

"It's a very competitive space right now," Cesa says. "You see all of the tiered suppliers building up internal expertise, as well as the OEMs, which makes for a really competitive environment."

Dotan says 2018 stands to be a particularly important year for automakers, the automotive cybersecurity sector, and Michigan alike.

"2016 and 2017 were years of the automakers and the suppliers like us educating each other about the needs, the pains, and the solutions needed to overcome those pains," he says. "We see a commitment in our discussions with automakers that they view 2018 as a crucial year for them."

Cesa describes the sector as being in yet another "adaptive phase" as traditional tech hubs on the west coast begin to really take notice of activity in Detroit. Waymo, Google's autonomous car development company, has already established a development center in Novi. And Cesa expects that other tech giants will soon be in a position of responding to Detroit's leadership in automotive cybersecurity.

"I think the wealth of knowledge that we have in this area really sets us in a good place to support the future of the auto industry," he says.

Visit Driven and learn how the Detroit region is leading the world in next-generation mobility.
Enjoy this story? Sign up for free solutions-based reporting in your inbox each week.

Read more articles by Patrick Dunn.

Patrick Dunn is the managing editor of Concentrate and an Ann Arbor-based freelance writer for numerous publications. Follow him on Twitter @patrickdunnhere.