Illustration: Rebecca Zisser/Axios

The internet connectivity built into most new vehicles enables all sorts of conveniences — news, entertainment, weather and even over-the-air software updates from the manufacturer. The downside: Connected cars are incredibly easy to hack.

The big picture: With 16 million new cars and trucks sold every year in the U.S., these cybersecurity risks are already extensive and will only grow as the push toward autonomous vehicles continues.

Today's connected vehicles sync up with crash avoidance systems, adaptive cruise control, lane departure warnings and other networked safety components. They contain up to hundreds of processors and electronic control units (ECUs), each with its own processor. One ECU might control the braking system, another the lights, yet another tire pressure. These powerful ECUs are typically connected, sometimes wirelessly, to the car’s main computer and to each other by a data bus — sending and receiving data, files and commands.

Protecting vehicle ECUs and entertainment systems against hackers — via operating system updates, file backups, antivirus software upgrades, malicious software screening tools, and the latest web browser — takes anywhere from a few seconds to a few minutes a month. Yet those brief moments per processor, across the hundreds of processors in each car, make for a formidable task.

Moreover, there are no rules dictating who is responsible for ensuring that needed updates and upgrades happen at all, let alone in a timely fashion — a regulatory gap that increases the potential openings for malicious actors. Without a commitment from the manufacturer to verify that software and firmware are functional and up to date, vehicle operators are left vulnerable. A critical safety feature could be disabled by obsolete logic — or, potentially worse, by the installation of embedded malware.

By exploiting many of the same vulnerable entry points found in smart phones and laptops, hackers can gain control of a car's microphones, lights and components over internet, bluetooth or internal wireless connections. Once in the system, they can surreptitiously listen in on conversations, intercept calls, access private data and, in certain situations, assume control of or compromise a car’s operational and safety systems. Under remote control, the distinction between changing the radio station and changing the car's speed is simply the push of a button.

Be smart: If vehicle cybersecurity does not receive serious oversight and attention now — from manufacturers, governments and drivers — it will soon become a critical impediment to safety and privacy.

Jason Levine is executive director of the Center for Auto Safety.

Go deeper

Updated 11 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 10:30 a.m. ET: 30,217,420 — Total deaths: 946,847— Total recoveries: 20,554,349Map.
  2. U.S.: Total confirmed cases as of 10:30 a.m. ET: 6,677,516 — Total deaths: 197,682 — Total recoveries: 2,540,334 — Total tests: 91,546,598Map.
  3. Politics: Trump vs. his own administration on virus response.
  4. Health: Massive USPS face mask operation called off The risks of moving too fast on a vaccine.
  5. Business: Unemployment drop-off reverses course 1 million mortgage-holders fall through safety netHow the pandemic has deepened Boeing's 737 MAX crunch.
  6. Education: At least 42% of school employees are vulnerable.
Dan Primack, author of Pro Rata
16 mins ago - Economy & Business

U.S. nutritional supplements retailer takes first step to sell to China’s Harbin Pharma

Illustration: Sarah Grillo/Axios

GNC Holdings, the Pittsburgh-based nutritional supplements retailer, received bankruptcy court approval to sell itself to China’s Harbin Pharma for $770 million, although the deal still faces U.S. political pressures over how GNC customer data is protected.

Why it matters: It's a reminder that the U.S.-China merger mess goes well beyond smartphone apps, with Sen. Marco Rubio asking for a CFIUS review.

Ben Geman, author of Generate
1 hour ago - Energy & Environment

Tallying Trump's climate changes

Reproduced from Rhodium Climate Service; Chart: Axios Visuals

The Trump administration's scuttling or weakening of key Obama-era climate policies could together add 1.8 gigatons of carbon dioxide equivalent to the atmosphere by 2035, a Rhodium Group analysis concludes.

Why it matters: The 1.8 gigatons is "more than the combined energy emissions of Germany, Britain and Canada in one year," per the New York Times, which first reported on the study.