Is your car vulnerable to hackers?

How vulnerable is your car to hackers?

That question has gained urgency after Wired magazine documented a staged incident in which hackers remotely disabled a Jeep SUV, leaving its hapless journalist driver stranded in a ditch.

The short answer is that modern cars are ripe for cyber mayhem. Cars have become smartphones on wheels -- giant rolling cages of software code controlling brakes, steering and propulsion, not to mention radio, weather apps and air conditioning.

But some cars are more hack-bait than others.

The Wired hackers, Charlie Miller and Chris Valasek, targeted the 2014 Jeep Cherokee because they previously deemed it to be among the most hackable based on a survey of two dozen different models.

Other vehicles they deemed particularly vulnerable included Toyota Motor's 2014 Infiniti Q50 and Toyota Prius, General Motors' 2015 Cadillac Escalade, the 2014 Ford Fusion, the 2014 BMW X3 and i12 and the 2014 Range Rover Evoque.

Cars that are most susceptible to hacking attempts are among the newest vehicles on the road, typically including only cars that have Internet connectivity, mapping capability or infotainment systems. The study by Miller and Valasek and interviews with analysts suggest that the most troublesome vehicles are those with Internet systems embedded in Infotainment systems and connected to other networks on the car, such as those operating brakes and propulsion.

The "least hackable" vehicles they surveyed were the 2014 Dodge Viper, 2014 Audi A8 and 2014 Honda Accord.

In February, CBS' 60 Minutes, demonstrated how a General Motors car could be hacked through its OnStar connectivity system. The test was done in conjunction with a researcher from the U.S. military's Defense Advanced Research Projects Agency, or DARPA, which is trying to find ways to eliminate the threats.

"Everything is hackable," said Thilo Koslowski, who heads the automotive practice group for Gartner. "But remember that the automotive industry invented the term firewall. Now they need to apply it to bits and bytes."

INTERNET ACCESS

Like personal computers, cars can't be completely shielded from digital intrusion. One crucial step is to ensure that communication networks such as those responsible for brakes and acceleration cannot be accessed via the Internet.

"This is a violation of some very basic and known best practices," Steve Manzuik, director of security research at Duo Security, whose investors include Google. "It is this practice that makes attacks like what happened with the Jeep example possible."

​The Wired hackers accessed their Jeep Cherokee remotely by penetrating its UConnect infotainment system and reprogramming the vehicle. That was alarming for industry watchers who had previously questioned whether hackers could infiltrate a vehicle's systems without wired connections inside the cabin.

"It's hard to do, but the fact that it's possible is disconcerting," said Matt Clemens, a security solutions architect at Arxan Technologies.

The average modern car has about 16 "clear attack points," according to Frost & Sullivan. Those include routes that aren't immediately obvious to the average driver -- such as seemingly harmless tire-pressure monitoring systems.

The good news: hackers have not yet shown much interest in cars. There has never been a documented incident of hackers causing an accident on the roadways. For one thing, there's little financial incentive to attack vehicles. By directing their energy into computers and mobile devices, hackers can steal financial information. Cars typically don't store much personal data.

But sophisticated hackers simply looking to create mayhem could do some damage.

"It's creeping closer to where you could say that could be a malicious hacker," said Richard Wallace, director of transportation systems analysis for the Center for the Automotive Research.

GM, FORD

The auto companies say they're already investing heavily in R&D and sharing information with each other to improve vehicle cybersecurity.

GM, for example, hired a chief product cybersecurity officer, Jeff Massimilla, in 2014. Ford said it's integrating cybersecurity principles into its design "from the outset" of the product development process. "We are not aware of any instance in which a Ford vehicle was infiltrated or compromised in the field," Ford said.

A few weeks before the Wired report, carmakers representing 98% of vehicles on the road had already agreed to join a new consortium called Auto Information Sharing Advisory Center (ISAC), which will allow manufacturers to share information on cybersecurity measures without violating anti-trust laws.

"They're staffing up with a lot of really good software engineers or they're teaming with software companies that are already ahead of the game on this," said Jon Allen, a Booz Allen Hamilton cyber expert and consultant on the ISAC project.

Still, some lawmakers in Washington are disgruntled over the industry's cyber response. U.S. Sen. Edward Markey (D-Mass.) and U.S. Sen. Richard Blumenthal (D-Conn.) on Tuesday introduced long-in-the-making legislation that would require federal regulators to establish cybersecurity standards and ratings for the automakers.

That came after Markey released a report in February accusing the auto industry of "a clear lack of appropriate security measures to protect drivers against hackers."."

What's clear is that resilient cybersecurity technology is particularly vital as software engineers pack cars with code to handle automated driving systems. Analysts expect fully driverless cars to hit the roadways sometime within the next decade or two.

NEXT, DRIVERLESS CARS

When computers are driving cars, the bar will be higher.

Other semi-autonomous technologies are already here. For example, General Motors and Tesla Motors are introducing similar features this year that will allow luxury cars to self-steer in highway lanes.

"There's all these benefits we're getting from this technology, but it also is giving control of the vehicle over to computers -- and those computers might start being controlled by someone," said Karl Brauer, an analyst with Kelley Blue Book.

One way for automakers to shore up their cybersecurity is by adopting systems that allow over-the-air software updates. Some luxury automakers, such as Tesla Motors and BMW, can already do this.

When BMW discovered a flaw that could have theoretically allowed hackers to open vehicle doors using a smart phone, it set a security fix over the air to cars earlier this year.

Although over-the-air updates could also open up cars to other vulnerabilities, experts says it's a critical step to enable quick fixes.

"It needs to be easier for them to mass update their vehicles, as opposed to going to a dealer or using a USB stick. Most of the people driving out there won't bother to update if it's hard to do," said Clemens, the Arxan security solutions architect.

For their part, automakers are hesitant to say much publicly about their cybersecurity efforts. That's partly because they don't to make themselves a target for hackers who are often looking for a challenge.

But they also don't want to scare customers into believing there's a serious problem. Many consumers will choose to avoid products that they view as susceptible to hacking.

Frost & Sullivan analyst Praveen Narayanan said it's crucial for automakers to begin considering cybersecurity concerns at the beginning of their product design process.

But he urged consumers not to panic.

"Yes, there is a growing concern," Narayanan said. "But let's not get too much ahead of ourselves. All of this noise is coming from the security community – the community that wants business at the end of the day."

Follow USA TODAY reporter Nathan Bomey on Twitter @NathanBomey and Marco della Cava @marcodellacava.