That view is widespread. “From my perspective, automakers were a little surprised and caught off guard by this threat,” said Doug Newcomb, a senior industry analyst at Wards Intelligence. “They added all this connectivity, but got ahead of themselves and don’t always think of the vulnerabilities that exist. It’s an ongoing issue, not a fix-it-and-forget-it thing.”
Failing to protect consumers can be costly, said Steve Tengler, a principal at the consulting company Kugler Maag Cie who has worked at Ford, Nissan and G.M., and was a senior director of connected vehicle cybersecurity at Honeywell.
Automakers are legally bound to provide state-of-the-art protection for their cars, Mr. Tengler said. “Legal precedents show that it’s not enough to provide a product that is kind of safe,” he said. “Companies don’t have to put themselves out of business to provide the safest technology, but they do have to work within their commercial ability.”
Mr. Tengler said the industry was a frequent target. “Every automaker has been hacked — every one of them,” he said. “Attacks aren’t a matter of if, but when and how.”
Once a car is out of warranty, automakers are used to cutting or at least loosening their ties. But hacking issues mean that protection will most likely require factory-to-junkyard monitoring.
In 2015, Fiat Chrysler recalled 1.4 million cars and trucks after Chris Valasek and Charlie Miller demonstrated, in a Wired magazine article, that they could remotely control a Jeep Cherokee’s brakes, radio, wipers and other functions by gaining access through its UConnect infotainment system.
The company declined to comment on any subsequent security changes.
Dr. André Weimerskirch, vice president for cybersecurity and functional safety at Lear Corporation, said that automakers had made “huge improvements” in recent years, and that joint efforts involving the industry, academia and standards organizations had also led to gains.