Today’s cars are computers on wheels. Many contain more than one connected device, allowing drivers and passengers to stream entertainment, make phone calls, or access safety features.  The more sophisticated vehicles out there (Teslas and the like) enable cars to connect to the internet for regular software updates.

While such connections bring a lot of benefits, especially when it comes to safety, they can also introduce new cybersecurity risks. A dramatic demonstration in 2015 revealed that hackers could remotely control an automobile; they could perform a number of actions, including killing the engine.  

That’s clearly cause for alarm, so car manufacturers have been including encryption as one of their cybersecurity strategies. However, an emerging technology is threatening that encryption, which means carmakers will need to pivot again to keep their vehicles safe. 

Connected cars 

Cadillac led the connectivity revolution with three of its models in 1997.  These days, even lower-ticket cars come with standard connected systems such as: 
• Remote operation: Near-field communication (NFC) or Bluetooth connectivity are standard in many automobiles now, which allows owners to start the engine or open doors remotely. 
• In-car communication: This includes WiFi hotspots and connections between, for instance, a driver’s phone and the car via USB, Bluetooth, or WiFi.
• Cloud connections: This includes connecting to a manufacturer to install updates, or to a satellite (GPS) for navigation. Such communication often goes in both directions, with the car sending diagnostic information to the manufacturer.
• Leading-edge connectivity: A newer technology, called “vehicle to infrastructure” communication, enables cars to get traffic information and weather updates from local devices. And automobiles can “talk” to each other via “vehicle-to-vehicle” communication, so if one driver needs to pull over, they can inform nearby drivers of their intentions.  

Recent research found that 9% of survey respondents have experienced failures or malicious damage to the digital applications in their vehicles. That’s a small percentage, but it’s growing, and the United States government is increasingly concerned when it comes to security risks from connected vehicle technology coming from overseas. Earlier this year, the U.S. Department of Commerce announced it was launching an investigation into the national security risks of connected car technology.  

The quantum computing threat 

Concurrent with automobiles becoming more connected, physicists and computer scientists have been working on a cutting-edge technology that introduces greater risk to that connectivity: quantum computing. The technology uses the effects of subatomic phenomena to make computation massively faster. This means that, theoretically, a quantum computer could break today’s encryption in hours or minutes, as opposed to a standard computer which would take trillions of years. 

While some companies are getting close to launching commercially viable quantum computers, these won’t have the power and reliability required to jeopardize, for instance, over-the-air updates for vehicle systems, which would enable hackers to add malware or spyware to those updates. Computer scientists speak of “Q-Day,” when a quantum computer will be able to decrypt standard encryption methods like RSA or ECC, but that could be 10 years off or more. 

How car companies are responding right now 

With respect to the eventual ability of quantum computers to render encryption useless, there’s good news and bad news. First, the bad: In the United States, the average age of cars and light trucks is about 12.5 years. The number of cars under six years old has dropped significantly, and this isn’t expected to change until 2028. So, although Q-Day may not arrive for 10 years, most automobiles created today will still be in operation on that day. In addition, cars and trucks often contain OEM (original equipment manufacturer) parts that could be exploited by attackers even if the other parts are secure. 

Consequently, carmakers must be prepared to keep their vehicles safe without knowing precisely what to keep them safe from or when the threat will arrive. One thing they can do as a first step is to conduct a thorough cryptography inventory. They should also promote quantum readiness with suppliers (e.g., chip manufacturers). 

But here’s the good news: NIST has released four algorithms that are thought to be secure against quantum computing attacks. Manufacturers can use them now along with standard encryption methods. Should an algorithm turn out to not work well, they need to be able to quickly switch to another one. This is known as quantum agility. Carmakers and OEMs need to plan accordingly. 

Quantum agility will figure prominently across the automotive industry as the world waits for Q-Day, especially as the risks posed by it become clearer. The cybersecurity sector can do its part to promote this concept so manufacturers can pursue the flexibility they need to evolve along with coming threats. A number of automotive companies and chip manufacturers supplying the automotive industry are already preparing themselves, especially for securing the process of loading software updates. All the tier-one suppliers and OEMs will need to prepare as well.