en flag +1 214 306 68 37

Cybersecurity of Connected Cars: Trends and Pitfalls

Chief Technology Officer, ScienceSoft

Published:
5 min read

Editor's note: In the article, Boris elaborates on real and hyped security threats that connected car solutions are exposed to and shares some best practices to ensure the appropriate automotive IoT solution security. Should you implement one, ScienceSoft gladly offers its IoT consulting services to help you set up only safe and reliable connected car solutions.

Connected cars cybersecurity

Modern automotive industry is steadily going digital. Everything, from vehicle tracking to driver monitoring to accidents preventing, takes place on the Internet now. Terabytes of data travel between vehicles, cloud networks, wearables and mobile devices, and, as many experts reasonably suggest, represent a desirable target for cybercriminals.

According to BI Intelligence, by 2021, the number of connected vehicles around the world will account for over 380 million. In this regard, we cannot just sweep the issue of cybersecurity under the carpet. Car is a complex mechanism that we entrust our lives and the lives of our loved ones to every day. Are hackers really able to gain access to a car system and temper with it? Is there a threat of massive traffic disruption? How to differentiate between actual concerns and those hyped by the media? These are the questions we all crave to find answers to.

What's the problem?

The thing is that connectivity is a threat in itself. Cars nowadays are massively equipped with electrical control units (ECU). They manage various car systems, and are connected to each other via internal network. Daniel Allen, a researcher with the Center for Climate Change and Security, even called modern vehicles wheeled computers.

After a car appears part of the IoT via wireless communication interfaces, closed vehicular system becomes exposed to external interference. The problem here is that if a hacker interferes with one unit, let us say GPS, they can immediately reach others, including brakes, transmission and other vital parts of a vehicle. They may go further by gaining access to all cars of a particular manufacturer, or even a manufacturer’s IT system, through a breach in vehicle cybersecurity software.

Why doing this?

In view of the fact that vehicles are getting more interconnected, hackers possess multiple options to do the automobile industry a bad favor.

Options range from unlocking a car remotely to steal it to industrial espionage to personal revenge. Accessibility of personal information via mobile devices that most cars are connected to is, undoubtedly, the most attractive target.

Finally, criminals may simply steal the software code and offer it for free, or even wreak havoc on the roads of the whole state – who knows what they have in mind?

Anyway, the consequences may be painful. Lack of security may cast a shadow on the whole industry of connected vehicles, and result in the lack of trust in manufacturers.

Why does it happen?

Modern vehicles represent an extremely complex entwinement of engineering and technological marvels. Besides, they are usually developed by several parties, including car makers, hardware suppliers and software development companies. This makes the system even more complex and difficult to protect against external attacks.

One more challenge is that a typical car lifecycle lasts from five to seven years. During this time period, dozens of security software updates may become available on the market. This usually results in releasing cars with outdated software, which increases the likelihood of attacks.

Besides, car makers do not always have enough expertise or human resources to properly manage security software. Sometimes they may even underestimate the danger of cyberattacks. Due to different development schedules, software may be released before tests for breaches in defense have taken place. Without proper testing it is impossible to determine whether software adequately responds to the risks it is designed for. As a result, both developers and manufacturers are uncertain about its reliability.

If not properly insured, car security may be a disaster. Nowadays, consumers are pretty well aware of the risks connected cars are subject to, and they are not willing to put themselves and their families at risk. Thus, keeping cars safe from hackers has become a matter of not only insuring safety (which is, undoubtedly, a priority), but also building trust in a brand.

The moment of truth

Actually, major hacker attacks on connected cars are yet to happen. That’s why neither broad public nor manufacturers have ever been particularly concerned about cybersecurity.
It has all started with Charlie Miller, a security engineer with Twitter, and Chris Valasek, the director of vehicle safety research with IOActive. In July 2015, they tampered with a Jeep Cherokee’s infotainment system, Uconnect, and one by one disabled practically every component, from air-conditioning system to engine. Most frightening is the fact that they literally knocked the system out, being located miles away from the vehicle.
That was not a malicious act, of course. Miller and Valasek reported their findings to Chrysler, and the latter recalled 1.4 million Cherokees to diagnose and remedy the gaps in their security system.

When Miller and Valasek did it for the first time in 2013 with a Ford, sitting in the back of the car with a laptop plugged into the car network, they were made fun of. “Really, if to break into a car’s brains requires physical presence, hackers do not have a single chance to succeed,” everyone thought.

Now, there is no more kidding around. In August 2016, specialists of Keen Security Lab of Tencent, a Chinese telecom company, breached the security software of a Tesla Model S, a car that is considered a breakthrough in the world of semi-autonomous cars. It became pretty clear that cybersecurity is not to be trifled with.

Precautions

Handling of security software is a multifaceted process, and it should be integrated into the company's daily operation. At each development stage specialists should monitor and test software, and report gaps whenever they occur. For these purposes, a comprehensive test strategy and procedures should be developed.
Timely updating is also a must. Here, the challenge lies in finding the possibility to bring together different lifecycles of a car, hardware and software.

Interconnection between different car ECUs is probably the weakest link in the whole system. A car inner network needs a multilayer system of defense. In other words, each ECU, most importantly, the borderline ones, requires its own piece of defensive software. At the same time, defensive software for the whole internal network should also be installed.

Another vital aspect is the ability to recognize hacker attacks in the real-time fashion. Most currently available security software can just record them to be retrieved later, sometimes even by the manufacturer only. In the near future, with the broader expansion of vehicle-to-cloud technology, unsolicited entry trials will be identified and prevented immediately.

As new cybersecurity solutions appear on the market, there is the need for all concerned parties to come together to bring them to the common standard. Here, the idea to “make friends” with hackers (read: the potential enemies) should not be neglected.

Many technological companies have already successfully introduced “bug bounty” programs, in other words, encouraged hackers to participate in adversarial tests of security software on a reward basis. This approach by contradiction allows killing two birds with one stone. It enables hackers to enjoy legal cash flows, while car makers use their expertise for peaceful purposes. Besides, no one can identify the flaws in security systems better than those whose vocation is to breach them.

Reality or media hype?

Though there is so much buzz around cybersecurity, some experts believe ordinary consumers still have nothing to worry about. Scott Frank of Airbiquity and Chris Poulin of IBM attribute mess around cybersecurity majorly to panic in the media after several white-hat hacker attacks took place.

They both reckon the primary target of cyberattacks would be personal information that can be used for money extortion. As criminals usually want to gain as much profit as possible by making as few efforts as they can, attacks would hardly be massive. They require significant “input”, and the “output” is not always enough rewarding.

Thus, the possibility that hackers would destroy traffic flow just for fun, or because they are guided by an evil idea, is still small, Frank and Poulin say. For today, the level of cybersecurity modern manufacturers maintain in their cars is adequate enough to protect an average consumer. However, as we are transitioning from connected to fully autonomous cars, there is still a long way to go.

From roadmapping to evolution – we’ll guide you through every stage of IoT initiative!