BI Intelligence predicts that by 2020, 75 percent of cars will have Internet access built in. A Gartner report says that by 2020, 150 million vehicles will be connected via Wi-Fi and that between 60 and 75 percent of those drivers will be consuming, creating, and sharing Web data. That means that more than 150 million cars will be sharing two-way information across the Internet, which means they will be more susceptible to security breaches, malware, and data theft.
Two-way Communications Opens the Door to HackingOne of the reasons that threats to connected cars are so potentially dangerous is because every component in the car is connected, which means every component has the potential to be compromised. Carmakers are embracing the concept of the Internet of Things (IoT), where devices are equipped with sensors can be accessed via the Web to monitor performance. The more sensors that can be built into the connected car, the more car functions can be tracked and reported. And with remote access, those same telematics can be used to alert the dealer about scheduled maintenance or performance issues, or for the manufacturer to issue updates to firmware.
Two-way communications has benefits for the manufacturer, making it easier to gather data and distribute software, but it also creates the potential for more security threats. For example, Germany’s automobile club, the ADAC, was able to successful hack BMW, Rolls Royce, and Mini models equipped with the ConnectedDrive feature. By simulating a fake phone network, the ADAC was able to take advantage of a security gap in the software and gain access to traffic information, the air conditioning system, and electric door locks. BMW was able to distribute a software patch to fix the bug and is now using HTTPS for secure data transmission, but the breach highlights the connected car security problem.
Here in the United States, hackers Charlie Miller and Chris Valasek working with a reporter for Wired magazine were able to hack a moving Jeep through the wireless infotainment system, disabling the radio, windshield wipers, and even the transmission. The demonstration was designed to show how vulnerable Chrysler vehicles are to cyberattack. The hackers are sharing their code with Chrysler engineers and the company recently issued a recall to 1.4 million vehicles to patch security holes in the infotainment software. Unfortunately, unlike the BMW solution, Chrysler has no way to distribute the software upgrade wirelessly so they are manually shipping USB drives to car owners with instructions to upgrade the software themselves.
Recognizing the potential threat to connected car owners, the U.S. Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have introduced a bill designed to address both cyber security and privacy in connected cars. The bill would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish new standards that would secure drivers’ vehicles and their privacy. Called the Security and Privacy in Your Car (SPY Car) Act, the bill would require new standards to defend vehicles from hackers, and new standards to safeguard personal data. It also would create a rating system to inform car buyers how secure their vehicles are.
OEMs Have to Become Security ExpertsOEMs are going to have to develop new strategies to protect connected vehicles. For example, unscrupulous hackers could threaten to blackmail carmakers at the same time they pose a real threat to drivers. Or consider what happens when a burglar hacks a car’s geotracking system to make sure homeowners are out of town.
Cisco and Continental have been working together to address the car security problem in the same way enterprise network engineers look at security. With the connected car there are multiple points of potential attack – the home network, the web, a smartphone, etc. Once a Trojan or worm is introduced to the automobile network car systems can be compromised at any time, so they are developing strategies to prevent computer viruses.
OEMs also need to be concerned about protecting personal data. As the connected car comes to serve as an extension of consumers’ digital lifestyle, sensitive personal data will used by the automobile’s network. For example, consumers want to be able to buy and download content such as streaming music from their cars. They also want to take advantage of new capabilities, such as monitoring speed and driving habits to lower insurance rates. This means sensitive data such as passwords and even credit card information will be accessible, and hackable, from the car network.
All of this means OEMs need to become security experts. Different development teams are writing computer code that is embedded in preconfigured automotive systems. OEMs need to know where all the code comes from, including any open source code. To address software security, more car companies are creating developer test teams to validate source code, including open source, to make sure there are no bugs or security gaps. Developers also need to adopt standardized protocols and procedures for automated and secure code testing to test and retest new source code.
OEMs also are going to have to develop new onboard security systems, authentication protocols, automotive firewalls, and other security tools to protect the automotive network. You can be sure that manufacturers and OEMs are going to learn a lot from the enterprise networking community, and they will be hiring more security-savvy developers to protect the new generation of connected cars.
Topics: Connected Car - Security