The connected vehicles trend shows no sign of winding down…
Security experts are paying increased attention to the rising number of connected cars on the road. The UK is predicted to become the fulcrum of connected cars’ deployment by 2030 (Frost & Sullivan), writes Alan Grau, VP of IoT/Embedded Systems, Sectigo.
Unless automotive manufacturers and suppliers strive to build security into cars from the beginning, this influx of connected cars will carry increased risk to business disruption and personal safety. Any new Internet of Things (IoT) device opens another vulnerability point, and, when those “devices” are vehicles transporting people at high speeds on roadways, these vulnerabilities become safety risks.
This is not just a theoretical problem for future cars. In fact, two-thirds of new cars registered in the UK today already are connected, estimates Society of Motor Manufacturers and Traders (SMMT). This connectivity is great for advanced telemetry services, over-the-air updates and to provide content for in-vehicle infotainment (IVI) systems. It also means the car is connected to the internet, so communication – along with risk – goes two ways. While the vehicle can send helpful data about the driver and the car to the manufacturer, the mechanisms that control its movement, such as steering, braking, and acceleration, can all be hacked by hostile actors if the car’s electronic control units are not authenticated and secure.
A major threat lies in a hostile actor infiltrating the communication or control networks that connect the cars, enabling attack against an entire fleet. Such an attack potentially can require few resources while harming many passengers, vehicles, and pedestrians.
Automotive Communication Endpoints
So how do we ensure every automotive communication endpoints are authenticated and using encrypted communications?
Accountability starts in the supply chain. Smart device technology keeps developing at lightning speed, but security often remains an afterthought. We lack worldwide standards to ensure that every device (including car components) is known, authentic, and secure. Connecting the car to the internet happens via chips and code, but despite the critical nature of these components, too often manufacturers have no visibility into their own supply chain and remain unaware of whether the open-source code they are using contains malicious elements, or if the selected chip is appropriately verified to guarantee its safety. This lack of knowledge means intruders could already be lurking before the product is even complete, biding their time to deploy an attack.
Digital certificates exist for exactly this purpose; each issued by a trusted Certificate Authority in order to confirm that the device or code is what it purports to be, has not been tampered with, and is safe to connect to a network without fear of sabotage. In a sense, a digital certificate is like a valid number plate for an IoT device, and like number plates, no car should be allowed on the road without one.
In addition to certificates, an increasing number of auto manufacturers are layering on security technologies such as embedded firewalls, which enable automotive electronic control unit suppliers to enforce filtering rules and detect anomalies in network communications to prevent cyberattacks. Embedded firewalls maximise driver safety and help prevent the loss of intellectual property, disruption of services, and proliferation of an attack to other systems.
The legislatures in the UK, Australia, and the State of California, have begun to implement or draft IoT security regulations, but until security technologies are the norm and not the exception, ad hoc regulations still leave the door open for rogue devices to enter the network, infect it, and force other connected devices to misbehave, including cars going 120 kilometres per hour on busy roads.
The connected vehicles trend shows no sign of winding down, so correcting blatant security failings is an imperative. Manufacturers putting vehicles on the road should be held accountable for the safety of their product, and resilience to cyberattacks should be one more factor in their quality controls.