Many cars on our roads today are more akin to complex mobile devices on wheels than vehicles in the traditional sense. Crammed full of IoT sensors, microchips, software and connectivity, they promise to extend our corporate and home networks onto the open road and improve vehicle safety and reliability. Yet we’re also increasingly seeing research which proves these systems are no different from any other part of the Internet of Things: they’re riddled with vulnerabilities and architectural weaknesses which could expose them to a cyber attack.
The question is: when is the industry going to get its act together and introduce a common, binding IT security standard? Because when it comes to cyber threats on the road, it’s not just corporate profits and reputations but also lives that are at stake.
There are serious challenges associated with increasing connectivity and embedded computing functionality inside our cars. Vehicles today are crammed full of technology to improve the driving experience. In fact, some cars have over 100 control units and up to eight SIM cards installed permanently. But while these offer a range of new functionality, they also expose the connected car to online threats.One of the first major pieces of research released on this came from Charlie Miller and Chris Valasek, who demonstrated how to remotely hack a Jeep Cherokee, controlling the steering and brakes. They exploited several vulnerabilities and weaknesses, from the connectivity element to the lack of secure separation between various on-board systems. This remains a key area of concern for security experts, who warn that allowing lateral movement could allow a hacker to infiltrate at the car’s weakest point and then pivot from, say, entertainment systems to the control bus in charge of steering.
Others have highlighted weaknesses in the mobile ecosystem surrounding connected cars. Research released earlier this year claimed that hackers could target this area to locate and unlock connected cars. Yet car theft and privacy concerns surrounding theft of data from the vehicle pale in comparison to the damage that could be inflicted if a hacker managed to tamper with the ABS braking system, for example.
What we desperately need here is a unified industry position on this which will help create a baseline of security to work from. Some governments are already getting involved. In the UK, for example, the 5*StarS consortium has just won public funding to develop an Automotive Cyber Security through Assurance project. It will aim to develop a methodology which can be used by carmakers to ensure all vehicle systems are tested to meet cybersecurity standards. It’s a step in the right direction, but we arguably need a more inclusive international approach.
In the US, legislators have proposed the Security and Privacy in Your Car (SPY Car) Act, which will require carmakers to comply with “reasonable measures to protect against hacking attacks” and ensure driving data is “reasonably secured to prevent unauthorised access”.
Again, this is a good start, but do we need legislation? It’s time for the industry to come together to develop a common architecture which ensures security is designed into the car manufacturing process from the start. We need to ensure critical systems are isolated from non-critical, test rigorously for any vulnerabilities, and have some kind of on-board system to block any attempts to take control of the vehicle.
New players in the automotive market such as Tesla may have an advantage – they can redesign a vehicle with a corresponding architecture from scratch, and take into account the requirements for safety. Established manufacturers must maintain backward compatibility of the systems on the other hand.
The first step is to establish a binding standard for IT security in cars. NTT Security is working on specs and solutions with many carmakers, but we need an industry-wide approach if we want to make any kind of impact.
Let’s not wait for the first tragedy to strike before we make cybersecurity a priority on our roads.