Home > Analysis > Clean sheet design essential to secure the connected car

Clean sheet design essential to secure the connected car

John Ellis joins Black Duck and Road Rules in Megatrends webinar to discuss connected car security

As long as a car is connected to the Internet, it is vulnerable. For this reason, there exists a consequential critical need to address core cyber security issues well before the point of a cyber attack.

But protecting the connected vehicle, passengers and back-end Big Data systems is no easy task, bringing with it many privacy challenges.

In a recent Automotive Megatrends webinar entitled ‘Automotive cyber security – protecting the connected car (part 1)’, these issues were addressed and debated by a panel of industry influencers.

“The connected car is a fabulous concept that exists in an increasingly hostile landscape,” explained Bill Weinberg, Senior Director, Black Duck Software. “There is not a day that goes by that we don’t hear about a breach in the software stack which ultimately, while connected, is always going to be in danger of being hacked. So can we ever achieve the secure connected car?”

Weinberg noted that 78% of the top 100 Android and iOs apps have been hacked. While this might seem like a surprising figure, he explained that remediation times by industries are key, but that this is a relatively new area for automotive.

A valuable target

But what motivates these black hats and cyber criminals, and why do they try to hack into cars in the first place?

Liz Slocum Jensen, Chief Executive at smartphone app and web service Road Rules explained that the motivations for hackers generally fall into three categories: financial and profit, political motivation or hacktivism, and in some cases, simply the challenge and research campaigns which have frequently been seen in automotive-related cyber attacks. “Universities in particular have been testing how to hack the connected car. These are known as white hat hackers, as they aren’t malicious, but open up security vulnerabilities to industry.”

A tangible threat

The speakers explained that there is ample research to show that vehicle connectivity is being used in a way that was not necessarily intended when it was architected. John Ellis, Founder and Managing Director, Ellis & Associates explained that the increasing popularity of Android Auto and Apple CarPlay amongst consumers provides opportunities for malware. “Another attack service has been opened up through the development of OBDII dongles that are cheap and cheerful and don’t necessarily provide the best in the way of security. Anywhere there’s an open connection, there is a way to attack. Once hackers can sniff it, they will start probing and find vulnerabilities.”

“I feel the real tangible threats are with remote payments via the car, which can be done through Android auto and Apple CarPlay,” explained Slocum Jensen. “Consumers are putting their iTunes library online, providing financial motivation for hackers and a real threat for the connected car.”

Collaboration is key

A key solution in addressing the cyber security challenge of the connected car is the emergence of collaboration initiatives among vehicle manufacturers, leading suppliers, developers and automotive cyber security experts.

While opening up connected car developments may sound like a strange concept to ensure its security, many believe that, going forward, it is the only solution. For this reason, the broad adoption of open source (OS) software within the connected car may just be a solution for the industry’s problem of inadequate cyber security.

“Around 78% of companies are now running their companies on OS, and less than 3% are not using it in any way,” explained Weinberg. “The use of OS within automotive has been on rise every year and doubled since 2012.”

The absence of true system architectures is a factor particularly unique to automotive, noted Ellis, adding that this creates a particular challenge. He explained that the mentality within the automotive industry of “ship and forget” is a considerable problem in creating a robust framework to secure the connected car. “The industry is still producing cars, shipping them, then forgetting about them. But in a world where consumers expect their car to be connected and updated throughout its lifecycle, that model is no longer acceptable, and needs to be continually evaluated. An OS industry framework could therefore see collaboration of the industry working towards continuous incremental improvements of the connected car.”

However, it is not enough just to build a framework and forget about it, either. Slocum Jensen observed, “OS allows for a solid foundation but it is still up to individual companies to build on that and create their own vigilant processes on top of that framework to further ensure the car cannot be compromised.”

She continued, “Many OEMs like to work independently and that’s because there are unique aspects of each design of the car. Everyone wants to solve problems on their own but that might in fact make the challenge of having a secure ecosystem even bigger.”

A clean sheet

If we can’t secure the connected car effectively now, can this ever be possible? Addressing this question, Ellis spoke about the definition of ‘secure’. “Everything connected to the Internet can be hacked. I think the real question is – can we build systems that can withstand the attack and deploy the best systems possible to handle the attack?” To this end, the industry needs to become more robust in its handling and make sure the vehicle is able to quickly identify that it is being attacked and respond accordingly. “If that’s the definition of a secure connected car then yes, it can be achieved,” said Ellis. “However, I don’t dispute that this is a long way off and requires very different mindsets.”

Weinberg concluded, “Black hats are very creative and will provide a constant struggle in securing the connected car. Until we begin to make the software robust and address security explicitly instead of implicitly, I don’t think we are even in a position to answer that question.”

Rachel Boagey

For more about this and other Megatrends webinars, follow this link