Modern vehicles have never been more functional and software-heavy, prompting comparisons to ‘super computers on wheels’. However, new risks arise every time an automaker introduces a new way for users to interact with a vehicle, be it through a brought-in device or an embedded application. It is a challenge that the automotive industry has gradually come to terms with, but cyber security is not a one-off fix—it is a daily fight against new vulnerabilities.
Connectivity is a broad term used to describe a variety of services and features related to the vehicle. From media streaming and voice commands to retail and mobility services, today’s Internet-connected car has lost its status as a connectivity ‘blackspot’. Indeed, one of the most utilised benefits of connectivity is the ability to share personal media within the vehicle. “But of course, with media comes the need for media security,” warned Dan Murdock, Principal Architect at Irdeto, during a recent Automotive World webinar.
In the past, that media was limited to radio. This has evolved to a point where most vehicles are able to stream digital radio or services such as Spotify and Apple Music. Robert Guest, Vice President, Product Management at ACCESS Europe expects video to be the next frontier, and “eventually apps, games, and e-commerce”. In future, he expects most vehicles will be able to pre-order a ‘drive thru’ coffee. “The business will know when your car is due to arrive, your drink will be ready and waiting, and can be paid for wirelessly. There’s zero friction,” said Guest.
For hackers, who often target missed vulnerabilities that can be found in complex software, the vehicle has become a potential source of significant bounty. Personal information—i.e. payment details, travel habits—and even control of the vehicle are all, in theory, up for grabs.
The connected trend, and its risks
With today’s smartphone, consumers have become accustomed to accessing multimedia everywhere they go, and the car, said Murdock, should be no exception. “Passengers in the car are more connected than ever, and expect that connected experience to continue,” he explained.
The millennial generation has also pushed the world toward a service-driven era, rather than ownership. “It is about getting what you want and when you want it, without being tied in to a long-term contract,” he continued. “People are not looking for a single static service, and being able to adapt to that within the automotive environment is extremely important.”
Some vehicle modules now have eight different means with which to connect to them—it’s an enormous attack surface
All of this has driven an ‘innovate or die’ mentality within the automotive industry, with those that cannot adapt quickly at risk of losing out. “The rapid addition of new services to the vehicle will become critically important,” said Murdock. “Those that can’t adapt in the mobile space quick enough are not around anymore, and the same may be true about the vehicle.”
Technology does not make its way into the vehicle without rigorous testing, and the same goes for software. Numerous tools are used to sift through code to check for bugs, but the general consensus is that vulnerabilities will always be missed. More technology means more entry points, and this makes the vehicle more susceptible to a cyber attack than ever. “The ubiquity of connectivity now creates new problems that did not exist before,” explained Murdock. “There are now numerous remote entry points to the vehicle where hackers can look to disrupt vehicle operations, OEM business models, and the driver experience. Some vehicle modules now have eight different means with which to connect to them—it’s an enormous attack surface.”
Then there are over-the-air (OTA) software updates, which allow automakers to refresh these features over time. Tesla, for example, has been instrumental in bringing this approach into the automotive space; a recent update boosted the power output of all its models by around 5% via an update sent out overnight. By comparison, nearly 60,000 Mitsubishi vehicles were recalled in the US in 2018 due to a software fault affecting the anti brake-lock system (ABS) and electronic stability control (ESC) functions. While they may not be comparable issues, the attraction of an OTA update becomes clear: owners are no longer required to bring their cars in to a garage for software tweaks, and automakers can save time, money and face.
The rapid addition of software-based features, often complex and laden with unnecessary code, is not a recipe for security. “We are seeing many new entrants into the market that are able to modify the vehicle and its connected services very quickly,” said Guest. “That brings a bright new future, but also many new opportunities to hack into these devices, which is why they need to be secured.”
A flurry of publicly announced research-led hacks between 2013 and 2017 made the risks of sub-par cyber security clear. Flaws in anything from wireless key fobs and infotainment systems, to mobile apps and OBD ports, have been exposed.
The industry needs to work together, and security has to be seen as an investment
While these hacks have not been made with malicious intentions, hackers are generally motivated by the potential for financial gain. “We think about what are attackers trying to do, rather than focus on individual features of security. In that sense, they’re all essentially trying to make money,” Murdock explained. “They are trying to extract and monetise information for many interesting and malicious purposes.” However, the risk profile of a personal computer is very different to that of a modern car, which can weigh around two tonnes and travel at speeds of up to 70mph. A hack could prove life threatening for not only its occupants, but also those in the surrounding environment.
With this in mind, Murdock and Guest set a poll to the audience during the Automotive World webinar, which posed the question: Are you planning to implement IVI security solutions? All audience members—who work across various elements of the automotive value chain—responded ‘yes.’ “This is hugely encouraging,” said Guest, who concluded that it will take a collective effort to protect vehicles from hackers. “It is an industry-wide problem. The industry needs to work together, and security has to be seen as an investment,” he said. “Individual companies should not keep their work under wraps.”