Q: What trends do you see developing in the automotive industry?
A: The industry is in rapid transformation toward autonomous, connected, electric and shared (ACES) mobility. Together with the rise of high-bandwidth 5G connectivity, this enables auto makers to deliver new in-vehicle services and rich content.
The global market for connected cars is forecast to grow significantly over the next few years as innovations in connectivity transform the automotive industry. The benefits to consumers are numerous: connectivity offers drivers everything from high-definition streaming media, Wi-Fi access, improved entertainment systems, to the ability to remotely control aspects of the vehicle using mobile phone applications, such as the locking/unlocking and ignition mechanisms.
Q: Many believe the growing technology found inside the car will bring its own set of challenges?
A: As with any other device that connects to the Internet, there is a potential risk to automotive security from cyber criminals. Security breaches can result in leaked personal data, threats to a vehicle’s essential security and safety mechanisms and, in extreme cases, full remote control of the car. And, as the industry moves toward more autonomous vehicles, these risks are only set to increase due to reliance on applications, connectivity and more complex and integrated electronic components.
As the number of sensors in vehicles increase rapidly, there is the potential for hackers to steal personally-identifiable information (PII) from the vehicle’s systems, such as personal trip and location data, entertainment preferences and even financial information.
And, as digital keys, wireless key fobs and mobile applications replace traditional physical car keys, car thieves can gain unauthorised entry to the vehicle. This can be done by intercepting communication between a smartphone or wireless key fob and the vehicle, using devices that extend the range of the wireless signal and emulate the wireless key to access a vehicle using the owner’s own wireless key fob, if the owner is still near their vehicle. Managing virtual car keys can be as diﬃcult as managing physical keys, if not carried out correctly. Enrolment of a key, validation of an ‘unlock’ attempt and, most importantly, revocation, must all be handled securely.
Q: What about the challenges brought on by connectivity?
A: Cyber criminals can exploit flaws in a vendor’s implementation. Given that security has sometimes been an afterthought for connected cars and their components, this creates an easy target for hackers exploiting vulnerabilities using cellular networks, Wi-Fi and physical connections. Furthermore, connected vehicles need to be able to trust, and be trusted by, the components and service(s) that they connect to.
There is the potential for hackers to take control of safety-critical aspects of a vehicle’s operation – for example, by compromising the cruise control system to manipulate steering and braking.
Also, as more mobile apps are released by manufacturers for communicating with vehicles, the more these become a target for bad actors. For example, in the case of the Nissan Leaf, security testers demonstrated how they could gain unauthorised access to control the heated steering wheel, seats, fans and aircon remotely. In an electric vehicle, this can drain the battery and render it immobile. According to Gartner, 75% of mobile applications fail basic security tests. The number of security vulnerabilities in the Android and iOS mobile operating systems are also a source of concern.
Q: Some believe that the In-Vehicle Infotainment (IVI) systems are also vulnerable to hacker exploitation…
A: Innovations in vehicle entertainment systems – everything from sat nav to high-definition streaming media – bring benefits to drivers, but these platforms increasingly provide services that make use of sensitive data and are security-critical to vehicles and end-users. Both Android and Apple offer infotainment systems and vehicle-centric app stores, and there are opportunities for combining applications like payment and social networking with more vehicle-centric needs, such as tolls, parking and journey planning. Linking these worlds introduces new possibilities, but it also brings with it the threat that app-centric malware could attack the automotive platform.
Q: Can vulnerabilities be added to the vehicle through the supply chain, which is fairly complex in the automotive industry?
A: Automotive manufacturers rely heavily upon third party vendors to supply systems, software and hardware components for their vehicles. However, unless auto manufacturers impose rigorous cybersecurity requirements on their tier 1 and 2 suppliers, they run the risk of introducing security vulnerabilities via these components. Counterfeit components can also enter the supply chain, threatening safety by reducing wear ratings, overriding safety limits etc. Any component responsible for primary activities, such as braking, clearly needs to meet the highest standards of security.
Q: What can the automotive industry do to alleviate these problems?
A: The automotive industry has little historical experience of dealing with cybersecurity risks and this has become evident from the lack of security built into many of the software and hardware components in the first generations of connected cars. Furthermore, there appears to be a lack of adequate education about secure coding practices and rigorous security testing, much of which takes place too late in the product development lifecycle. And, to cut component costs, some safety-critical and non-safety-critical functions may share resources (processor cores, physical connectivity or internet access). Designing from the ground up, from the perspective of a hostile environment, is the only way to build “secure by design” systems that will be robust in the long term.
As new threats and attacks are discovered, the only eﬀective solution is to ensure that the platforms can be easily and securely updated once deployed into the ﬁeld. Many of these updates are delivered through supplied software, components and systems which rely upon wireless communications networks connected to personal computing devices, with their own inherent security challenges.
With cars having such long lifecycles compared to other smart devices, innovative OEMs and Tier 1 vendors must build connected car architectures with long-term security at their core. Failure to address these risks could have a catastrophic effect on consumer confidence, privacy, brand reputation, and most importantly, customer safety.