Is the auto industry sleeping through the cyber security nightmare?

As cyber attacks move from potential threat to reality, Rachel Boagey asks whether the automotive industry has done enough to secure the connected car against future cyber crime

With consumer demands for connectivity in the car increasing by the day, a stable connection from the car to the Internet is now a necessity. But with this growing necessity comes the increasing ability of hackers to gain access to essential vehicle functions and features. Once inside, an attacker can utilise the vehicle’s internal communication BUS and – depending on the vehicle’s electronic architecture – could potentially take control of additional modules, including safety critical systems such as the anti-lock braking system (ABS) and engine electronic control units (ECUs). There is also the possibility for hackers to take and use information about drivers’ habits for commercial purposes without their knowledge or consent.

With these threats becoming more prevalent, exposing the car and people in them to multiple risks, the industry cannot delay in acting to protect the connected car; indeed, many think the industry should have acted sooner.

Before the storm

Mercedes-Benz DriveKitWhile ethical – ‘white hat’ – hackers open up interesting findings in the name of research for the automotive industry, the concern is that if they can successfully hack into a car, so too can those with more malicious intent – the ‘black hats’.

The added complexity and convenience of technologies in cars comes with the risk of introducing vulnerabilities which attackers are all too happy to exploit, explained Joel Clark, Research Consultant from vulnerability testing firm MWR InfoSecurity. Speaking to Megatrends, Clark insisted that the industry may begin to see an increase in the complexity of attacks as vehicles become more connected. He also noted that there are some well-understood, industry standard best practices for keeping infrastructure secure, which the automotive industry could look to for inspiration. “For example, it is key that safety-critical systems, such as engine management or brake-by-wire, are segregated from non-critical systems, such as the navigation system. It should be physically impossible to compromise a user’s phone and use it to control anything but which song is playing on the radio.”

Controlled chaos?

Even though connected car technology is not new, it hasn’t become a commodity yet, explained Nazar Tymoshyk, Security Consultant and Certified Ethical Hacker at technology solutions company, SoftServe. Tymoshyk told Megatrends that although the industry is not currently prepared to handle security threats to vehicles, standards such as ISO 26262 are raising the ability for the industry to come together and understand the kinds of risks facing the connected car. “But the industry is yet to realise a widely defined standard for security,” he said. “For this reason, it is hard to measure security and the compliance of different versions of connected car solutions.”

Stanislav Breslavskyi, a colleague of Tymoshyk and a Security Engineer at SoftServe believes that in a nutshell, terms like ‘controlled chaos’ characterise the connected car industry. “Every smart-car vendor offers their own hardware and software, with a custom set of tools and technologies. They are all focusing on features rather than security. Such an approach increases the number of security bugs,” he said.

Using an already existing solution, such as open source (OS) software, is the right step towards a secure connected car, believes Breslavskyi. “Still, not all of the vendors go along with using ‘third-party’ software. In this case, the best way to ensure their customers’ security is to establish a Secure Software Development Lifecycle when all development processes – from defining requirements to production – are performed with security in mind embodied in all-round security testing, both automated and manual,” he told Megatrends.

Tim Erlin, Director of Security and Product Management at advanced security firm, Tripwire, believes that while software patches for vehicles aren’t new, the demonstration of vulnerabilities are clearly attention grabbing. “The risks of the connected car lie in the ability to affect the operations of the vehicle from the outside world. The good news is that secure software development isn’t a novel concept. There are known best practices that can be applied to automotive software as well,” he explained.

Autonomous dreams

Connected car search
In a white paper released in August 2015, Chris Valasek and Charlie Miller detail a remote attack against an unaltered 2014 Jeep Cherokee that resulted in physical control of some aspects of the vehicle. The white paper was published to coincide with presentations at the Black Hat and DEFCON hacker conferences

With the development of autonomous vehicles, where software and connectivity play a critical role, security becomes an even greater concern. Is it safe to consider autonomous cars before cyber security is properly managed?

“The first autonomous cars will pop up sooner than new safety rules, cyber security measures, and standards get designed and implemented within the automotive industry,” explained Yurii Bilyk, Security Engineer at SoftServe. “In today’s digital world, technology isn’t a privilege that can be isolated and kept only for yourself; it’s spreading too quickly and we can’t fully control it,” he said.

“The development of autonomous vehicles and several other related, and very advanced, driver assistance and active safety features continues in parallel with connected vehicle environment,” explained Paul Mascarenas, FISITA’s President and Chairman of the Executive Board. “Many of the same solutions and best practices apply, together with some unique challenges. Consideration is given to security, privacy, liability and in addition the policy issues that need to be worked through in order to provide the regulatory framework that allows these vehicles to operate.”

Can the industry ever secure the connected car?

“There is no such thing as 100% perfect security,” believes Mohsen Mohseninia, Vice President of Development, Europe, at Machine-to-Machine (M2M) communications company, Aeris. “If you have a 100% secure system, nobody can talk to it and it can’t talk to anybody. It is a balancing act.”

Mohseninia explained that Aeris has a dedicated core network, which means that except for radio transmission between the device and network, everything else is an isolated network preventing external sources communicating directly with the devices. “That protects the devices completely from any spam that may try to enter,” he noted.

Bohdan Serednytskyi, Security Engineer at SoftServe, agrees. “There is no system that is fully secure,” he observed. “It is only possible to reduce risks to the minimum level, but some security holes are always there, very often as a result of little or no knowledge about new vulnerabilities, so-called zero-days attacks, or just because of human mistakes.” While automotive technologies are continuously adding new features to their functionality, they are also attracting hackers’ interest: the more features a connected car has, the more ways there are to attack the system.

Onwards and upwards

In the wake of high-level cyber attacks on a growing number of major corporations and government departments, the issue of cyber security is gaining increasing attention in the mainstream media, and it’s clear that cyber attacks are a present and future danger that must be resolved.

Connectivity has always meant access, but luckily, Tymoshyk believes the industry is beginning to realise the threat. “The major risk for the industry is the ability of an attacker to get remote control of a vehicle,” concluded Tymoshyk. “The silver lining now is the fact that vendors start thinking about security right from the development process.”

“Software manufacturers have always and will always have the possibility of vulnerabilities, from multi-million dollar organisations down to the small software vendor from your local town,” said Mark James, Security Specialist at IT Security Firm ESET. “Very few bits of code can be declared 100% safe. The main thing is being open to the fact that you could be vulnerable and having the plans and the means to find, fix and distribute that fix as quickly as humanly possible. As more and more devices become linked together we will see them scrutinised and checked. It’s not a bad thing if handled in the right way from all parties involved.”

“They say if you want to remain in the same position, you have to run very fast, and the same applies to security,” Serednytskyi said. “Going forward, therefore, it is clear that broader efforts will be needed to control attacks from hackers, even if in reality, the connected car can never be 100% secure.”

Rachel Boagey

This article appeared in the Q3 2015 issue of Automotive Megatrends Magazine. Follow this link to download the full issue.