Automotive hacking – the cyber risk auto insurers must consider | Insurance Business America
Up until the last few years, criminals hacking into your car and taking control seemed like the stuff of Hollywood movies. Not so today, as vehicles become increasingly connected. Global sales of connected cars are expected to surge to 115 million in 2025, from around 30 million sold in 2020, according to ABI Research.
But the rise of smart, connective technology in vehicles has also exposed new weaknesses that hackers can exploit. A report by Upstream Security revealed that automotive cyber security incidents spiked 225% from 2018 to 2021. The majority (85%) of global attacks were conducted remotely.
“When you think about how thefts of vehicles happened traditionally, somebody needed to hotwire or manually break into a vehicle,” said Sandee Perfetto (pictured), senior director of personal lines core products for underwriting solutions at Verisk.
“Now you have more connectivity that potentially leads to more access points in the vehicle, as well as through the fobs that are used to access and remotely start them.”
Read more: Is it time for autonomous vehicles to take the wheel?
Data or privacy breaches are the most common cyber incidents in vehicles, followed by thefts or break-ins using a wireless key fob. Malicious parties could also use spoofing or other forms of cyberattacks to remotely gain access to a vehicle. For instance, a team of security researchers found a flaw in several Honda car models that allowed hackers to intercept codes from the key fob to unlock or remotely start a vehicle, VICE reported last month.
Perfetto also cited a common key fob feature as a potential risk: “In some car models, the mirrors stay out when the fob is left in a vehicle. This can trigger thieves because it signals that the fob is inside and could easily be stolen.”
More worryingly, potential hacking incidents could pose safety risks for drivers and passengers. In January, a 19-year-old hacker made headlines after claiming to have remotely accessed more than 25 Tesla vehicles in over a dozen countries.
In a series of tweets, David Colombo said he hacked into a third-party app installed in the vehicles to play music, unlock doors, flash headlights, and even start keyless driving. But the German teen admitted he could not intervene with steering nor access the brakes or acceleration.
Perfetto told Insurance Business that similar exploits, though not widespread, should concern car owners and insurers. Electric vehicles (EVs) with sophisticated software for advanced driver safety features, such as emergency braking and collision avoidance, may be particularly vulnerable to hacking.
“Where you add more software and more technology to a vehicle, it creates the potential for more cyberattacks. While there are benefits to these safety features, they can also come with increased [cyber] risk,” Perfetto said.
Then there’s the potential for data breaches when owners connect their EVs to public charging stations. Owners may not realize that data could potentially be transferred to and from the charging station, which may lead to malicious software infecting their car, Perfetto added.
Challenges for auto insurers
Cyber exposures are a relatively new frontier for auto insurance. Traditional risk considerations have revolved around liability or theft, but those have evolved amid the increasingly connected landscape for vehicles.
“We must evaluate the types of losses happening and what’s causing those losses. Are they related to malfunctions in a vehicle? Are they related to hacking? It’s a challenge for insurers even to determine the ultimate cause of a loss,” said Perfetto.
“If there was an accident, and it wasn’t the driver’s fault per se but more of a vehicle malfunction, that may not be easily attributed. If there was a hacking incident, that might not be easy to discover.”
For underwriters, understanding the potential frequency and severity of accidents for EVs also poses a problem. Manufacturers use different battery packs, which makes insuring for fires challenging. Costs for replacing high-tech fittings are also significantly higher for EVs.
“We have seen data that supports reduction in accident frequency related to certain technology added to a vehicle. But we have also seen the cost of replacing some more advanced technologies increase. Something as simple as a rear end or a minor dent in your bumper that used to be an easy and relatively inexpensive item to fix has become much more costly,” Perfetto noted.
But perhaps the biggest lingering question around connected cars and EVs revolves around liability. Though laws vary across states, liability for road accidents typically falls on the driver. But as technology picks up more driving functions, the answer to “who’s responsible?” won’t be as clear. Insurers are watching keenly to see if liability laws evolve, particularly in the advent of autonomous driving.
Read more: Autonomous vehicles to shift liability, says tech executive
“If those [technologies] are the cause of a loss, or if there was a hacking incident that isn’t discoverable right away, that raises questions of who should have the legal responsibility. Should it now shift to the manufacturers or vehicle technology suppliers?” Perfetto asked.