Retaliatory Drama in the Shadows of Texas Cars Exposure of Cyber Vulnerabilities and Sprouting Regulations (2009s-2010s)

Retaliatory Drama in the Shadows of Texas Cars Exposure of Cyber Vulnerabilities and Sprouting Regulations (2009s-2010s)

Around 2009, many U.S. citizens were struggling to repay their auto loans due to the recession following the collapse of Lehman Brothers. Dealerships and loan companies introduced remote vehicle shutdown systems to efficiently repossess vehicles from delinquent borrowers. This system was able to forcibly shut down the engine via the Internet through GPS and on-board relays. The system spread rapidly across the U.S. because it was easy to install with inexpensive modules.

Around 2010, however, the system was abused at a dealership in Austin, Texas. A former employee, who had been laid off, illegally hacked into the system and shut down more than 100 cars at once. Suddenly deprived of transportation, people were unable to get to work or school, and their lives were thrown into chaos. A police investigation revealed that this was an act of retaliation.

The incident made a vivid impression on the vulnerability of IoT devices. At the time, encrypted communication was not implemented, passwords were left at default settings, and access control was lax. Such defenselessness exposed serious weaknesses against internal and external attacks. Related technologies such as in-vehicle telematics, remote engine start, and GPS tracking were becoming popular, but because they relied on the same infrastructure, danger and convenience were inextricably linked. Later research into CAN bus intrusion demonstrated that even braking and steering could be done externally. This incident was an opportunity to make the vulnerability of the connected car widely known.

And the incident accelerated the trend toward regulation. The U.S. National Highway Traffic Safety Administration established cybersecurity guidelines for in-vehicle systems in the early 2010s, recommending the introduction of encrypted communications, OTA updates, and intrusion detection. The United Nations Economic Commission for Europe also adopted automotive cybersecurity regulations in 2020, and Japan and the EU have been applying them to new vehicles since 2022. In addition, Auto ISAC, which promotes information sharing across the automotive industry, was established in 2015, and a mechanism was put in place for companies to exchange cyber attack information.

The Austin remote vehicle shutdown incident was the first crisis to arise from the transformation of the car from a means of transportation to a networked terminal. At the same time, it was a wake-up call for the entire industry and a watershed moment that prompted later regulatory and structural changes in the industry.