Hacked Jeep sends warning to German luxury-car trio

When hackers landed a Fiat Chrysler Automobiles NV Jeep in a ditch last week, it sent a warning to BMW AG, Audi and Mercedes-Benz as the German luxury-car trio compete increasingly on technology rather than just horsepower.

Mercedes’s E-Class will soon be able to help steer itself, Audi sent an unmanned RS7 down a track at race-car speeds and BMW’s new 7-Series responds to hand gestures. All three already offer self-braking systems and highly automated cruise control that are slowly shifting driving responsibility away from the human and toward the machine.

Now the manufacturers must reassure consumers willing to spend upwards of $50,000 that it’s safe to drive what has increasingly become a computer on wheels. All three carmakers say they have tools in place to thwart cyberattacks, including encrypted connections and siloed safety and entertainment systems. Still, today’s cars are so complex that more hacks may be inevitable, said Rainer Scholz, a Hamburg-based executive director for telematics and mobility at consulting company EY.

“The difficulty for the carmakers at the moment is the question whether they can keep pace with advances in technology, especially hacking technology,” Scholz said. “We seriously doubt they can.”

Carmakers currently tend to focus on systems security after the final product has been built, to then patch holes, Scholz said. And hackers no longer need access to an entire car — which in the past might have required buying one — in order to seek out vulnerabilities, he said. Just having access to one component, such as an entertainment console, might suffice.

The number of potential targets is growing. By 2020, about 90 percent of new vehicles in western Europe will be connected to the Internet, compared with about one-third next year, according to Hitachi Ltd.

Cars are more vulnerable when networks connect all their features together, according to an automotive team from NXP Semiconductors NV, a Netherlands-based supplier for the auto as well as computer industries. That’s what happened in the Jeep hack, when a pair of researchers took control through the vehicle’s entertainment system.

The team that hijacked the Jeep shared their results with Fiat Chrysler, which recalled 1.4 million vehicles to fix the security flaw they’d exploited. The company said it’s not aware of any real-world unauthorized remote hack into any of its vehicles.

Cars are increasingly evolving into full-service mobile devices that can find restaurants, make emergency calls and even park themselves.Daimler, BMW and Audi said they separate different vehicle domains — walling off the radio from the brakes, so to speak — with firewalls and additional features such as public-key-cryptography and virus scanners.

“Absolute, 100 percent safety isn’t possible,” said Benjamin Oberkersch, a spokesman for Mercedes’ parent Daimler AG. “But we develop our systems, tested by internal and external experts, so they’re up to date.”

While hacks of German cars have fallen short of the stunt to which the Jeep was exposed, BMW, the maker of the carbon-bodied, electric-engined i8 sports car, had to fix a security flaw in one of its digital-services systems this year.

A study by German auto club ADAC found hackers could wirelessly open BMW, Mini and Rolls-Royce vehicles in minutes. About 2.2 million vehicles equipped with BMW’s ConnectedDrive service were vulnerable. The Munich-based company closed the security gap with an automatic system upgrade that took place when vehicles connects to BMW’s server.

Manufacturers will need to take systems security for connected vehicles into account from the very beginning, said Cypselus von Frankenberg, a spokesman for BMW.

“Carmakers and their suppliers will be spending a lot more effort on defining security architectures in the future,” said Lars Reger, chief technology officer at NXP’s auto unit.