The trend towards connected cars is accelerating. But one question remains unanswered: How long will it take the automotive industry to come up with one consistent IT security architecture in order to fully secure connected cars and prevent them from being easily attacked, manipulated or even hijacked?
The "Connected Car" caused a sensation; it is not only redefining how to drive and generally deal with vehicles but, according to the analysts from McKinsey, also triggers a fundamental restructuring of the global automotive market. Meanwhile, all major car manufacturers engaging in respective initiatives.
All the more surprising is how little attention the issue of IT security gets when developing connected cars. This should be a key point when permanently connecting cars to the internet.
Today, numerous IT systems are installed in vehicles that communicate with the internet, e.g. to transmit telemetry data to the car manufacturer and to update GPS data or emails and video streams. Some vehicles have more than 100 control units and up to eight SIM cards permanently installed. Through all these systems, a connected car is extremely vulnerable. Attackers can tap more or less critical telemetry data, for example on the individual driving behavior or travel destinations. If internal vehicle systems have not been strictly separated from each other right from the beginning, they can be potentially manipulated, not only to control the air conditioning but, for example, switch off the ABS or intervene in the steering. It is obvious that hackers can thus cause enormous damage.
What is missing is a consistent IT security architecture that comes with the appropriate security layer right from the beginning, i.e. an architecture in which IT security is a basic part of the vehicle development. New players in the automotive market such as Tesla have an advantage – they can redesign a vehicle with a corresponding architecture from scratch, and take into account the requirements for safety. German car manufacturers take safety very seriously and have extended this to digital vehicle systems, but even they will have to permanently extend their digital architecture. A first step in the right direction would be establishing a general and binding standard for IT security in cars. We are already working on solutions and architecture specifications with many manufacturers in the automotive industry, but after taking this first step the industry needs to go further to prevent connected cars crashing into the wall.
Within the next few years, our vehicles will communicate both with each other and with infrastructure like traffic lights, and that communication will reach deep into the car's CAN. After all, you need to be able to speak to the brakes in order to tell them it's time for an emergency stop. And those completely autonomous cars that so many can't wait for? Good luck getting one of those to work if it's not permanently connected to the cloud.