In garages and driveways across America sits a machine with more lines of code than a modern passenger jet. With an internet link, today’s cars and trucks can report the weather, pay for gas, find a parking spot, route around traffic jams and tune in to radio stations from around the world. Soon they’ll speak to one another and alert drivers to sales as they pass favorite stores. And one day, they’ll even drive themselves.

While consumers may love the features, hackers may love them even more. And that’s keeping many in the auto industry awake at night, worried about how they can stay one step (or two or three) ahead of those who could eventually play havoc with the world’s private transport systems.

Hackers seemingly can’t wait for the opportunity to commandeer vehicles. In 2019, the automotive cybersecurity company Karamba Security posted a fake vehicle electronic control unit online. In under three days, 25,000 breach attempts were made, and one succeeded.

The best-known vehicle takeover occurred in 2015 when security researchers on a laptop 10 miles away caused a Jeep Cherokee to lose power, change its radio station, turn on the windshield wipers and blast cold air. Jeep’s parent company, FCA, recalled 1.4 million vehicles to fix the vulnerability. 

Today, the effects of a breach could range from mildly annoying to catastrophic. A hacker could steal a driver’s personal data or eavesdrop on phone conversations. Nefarious code inserted into one of a vehicle’s electronic control units could cause it to suddenly speed up, shut down or lose braking power.

A fleet of cars could be commandeered and made to steer erratically, potentially causing a major accident. A hacked electric vehicle could shut down the power grid once the car was charging. Even altering a street sign in ways imperceptible to the eye can trick a car into misperceiving a stop sign as a speed limit sign.

The problem goes beyond demonstration intrusions. Karamba has been working with a South American trucking company whose fleet was hacked to hide it from its tracking system, allowing thieves to steal its cargo unnoticed. And a quick internet search will reveal scores of successful but so far benign hacks against many of the world’s major automotive brands.

"To take control of a vehicle’s direction and speed, this is what everyone in the industry is worried about," said Ami Dotan, Karamba’s chief executive. "And everyone is aware this could happen." 

The challenge may be even greater than securing the world’s airlines. According to a McKinsey & Company report on automotive cybersecurity, modern vehicles employ about 150 electronic control units and about 100 million lines of code. By 2030, with the advent of autonomous driving features and so-called vehicle-to-vehicle communication, the number of lines of code may triple.

Compare that with a modern passenger jet, with just 15 million lines of code, or a mass-market PC operating system with around 40 million lines of code, and the complexities become clear.

Vehicle manufacturers understand that a successful hack that caused death or destruction could be a major blow. "The incentive to prevent a giant malicious attack is huge," said Gundbert Scherf, a McKinsey partner and an author of the report.