Author: Andrew Blancher, CPCU

Picture a day in the hopefully not-to-distant future when we're all back to our pre-pandemic routines (nice, isn't it?). You're back in the groove of your morning commute, looking forward to picking up on your audio book as you hop into the driver's seat and start your truck. But rather than the normal hum of the engine turning over, nothing happens. Well, not nothing. Your media console lights up with an ominous message: “This vehicle has been hijacked. To unlock your truck, please forward five CryptoCoins to the following address."

There goes your good day.

A new era of vehicle risk

The above scenario is a fictitious but entirely plausible account of just one of the emerging risks associated with vehicle hacking.

Think of vehicle hacking as a cyberattack targeting various access points in a connected vehicle (that is, a vehicle that can wirelessly communicate and share data with other devices, platforms and internal and external networks and systems.). Once a vehicle has been breached, an auto hacker can wreak all manner of havoc.

Vehicle hacks could include:

• shutting down the car or truck and demanding a ransom to restart it
• commandeering the steering, braking, HVAC or other vehicle controls from the driver
• denial of service attacks that temporarily disable a vehicle
• encryption of personal or business data stored on, or accessed via, the connected vehicle

As connected vehicle technology continues to evolve towards greater electronic control and wireless communication, the opportunities for malicious exploits will likely only grow. Every Bluetooth radio, telematics unit, tire pressure sensor, or remote keyless entry built into a vehicle could become a potential vector for a crippling cyber intrusion.

Indeed, by 2023 nearly 70 percent of light-duty vehicles and trucks sold globally are expected to feature Internet connectivity, while 76 million connected cars are projected to be sold in that same year.

As connected vehicle technology proliferates rapidly, the state of vehicle cybersecurity doesn't appear to be keeping pace. According to one industry expert quoted by the Detroit Free Press, the security status of internet-connected vehicles today “is pretty much the same as computers in the 1980s." It's a sobering assessment, especially when you consider how many cyberattacks are executed against computer systems that are often safeguarded by the most up-to-date technology.

Fleet owners may emerge as a particularly ripe target for vehicle hackers. As one vehicle security firm noted, “By invading the command and control of the fleet management system, a talented hacker could potentially shut down an entire fleet currently traveling on the road. While recent attacks indicate that hackers require about $500 to release a single vehicle, it would take a king's ransom to get all those trucks back into operation."

A new endorsement and rating rule to cover certain vehicle hacking risks

While vehicle hacking hasn't yet become as pervasive a real-world threat as computer hacking, vehicle manufacturers are already on notice. In 2015, one automaker was forced to recall 1.4 million vehicles following the revelation from security researchers that a vehicle series was vulnerable to remote takeover. The ubiquitous software updates that desktop and mobile computer owners are so accustomed to are now becoming routine for vehicles as well.

Risk transfer options must also keep pace with evolving vehicle technology.

At Verisk, we've developed a new, optional Auto Hacking Expense Coverage endorsement and corresponding rating rule to help insurers address the insurance needs for vehicles equipped with connected vehicle technology.  

The endorsement is generally designed to cover certain expenses for private passenger auto and light/medium trucks associated with diagnosing, restoring, and repairing a vehicle after a hack. The coverage provides for the cost of repairing a vehicle's computer system, temporary transportation expenses, and even ransom payments, among other related costs. (ISO customers can access ISO Circular LI-CA-2020-229 for the details on the draft coverage language and rule.)

As the road becomes a target-rich environment for hackers, we're working to stay ahead of this emerging risk by providing insurance coverage solutions that can help minimize and mitigate this 21st century threat.

Last updated: October 9, 2020