Red handed – connected car ‘threat analytics’ could catch cyber attackers in the act

Connected and autonomous systems promise to improve vehicle safety, but does the risk of a cyber attack undermine this benefit? By Josh Wickham

As vehicles become increasingly automated and connected, the challenge for automakers becomes reassuring consumers that it is safe to make the switch. However, the threat of cyber attacks could make this difficult.

Application protection firm Arxan Technologies aims to put its customers one step ahead of cyber criminals. It has been active for 18 years, and for the last five has specialised in protection software for connected vehicles. Automotive, says Rusty Carter, Vice President of Product Management at Arxan, is a rapidly growing industry which is made “massively vulnerable by the risks associated with being connected.” With 125 million cars with connected capabilities expected to ship worldwide between 2018 and 2022, according to a recent report from Counterpoint Research, there is an obvious need for sophisticated protection software.

Arxan, says Carter, is ready to fulfil that demand through its Threat Analytics programme, which launched earlier in 2018. Threat Analytics is a ‘monitoring service’ that provides users with visibility into cyber attacks, allowing them to pinpoint the source of the threat and optimise their defences to stop it. The programme gives users real-time data showing exactly how attackers are targeting an application. Without such protection in place, victims of cyber attacks often cannot identify the source, leaving them unable to combat it. Speaking to M:bility, Carter explained that Threat Analytics is also a key component of protecting a connected vehicle. “It is really an instrumentation of all of the security controls and detections that we put into an application,” he added.

The threat and the solution

Although connected and autonomous vehicles could be hugely beneficial to the safety and efficiency of transportation, their functionality is highly dependent on computerised systems and the internet, making them a target for malicious activity. “A connected vehicle has a large attack surface, and we’ve found that the biggest vulnerability today is the user’s interactions via a mobile device,” advised Carter. “We have customers that use Threat Analytics to protect a connected vehicle that uses a smartphone as a key, which offers hackers an entry point.”

As these applications and the devices are connected to the internet, criminals are looking for opportunities to take advantage of that

Research into connected vehicle threats has been ongoing for some time now. At the 2015 Black Hat USA security conference, one demonstration involving a Jeep Cherokee displayed the ease at which vehicles with connective capabilities could be hacked, and how systems such as braking, steering and acceleration could be controlled remotely. “Criminals are looking for opportunities to take advantage of the fact that these applications and devices are connected to the internet,” Carter said. “For years now, people have tried to plug into the electronic control unit (ECU) and manipulate a vehicle through a wired connection. As these become connected over the network, all those vulnerabilities are exposed.”

Carter emphasised that cyber attacks on connected vehicles represent a substantial threat moving forward. Part of the risk is that a car could be hacked whilst being driven, the dangers of which were illustrated back in 2015 when Wired journalist Andy Greenberg was left stranded on a St. Louis highway. Although cyber crime has the potential to cause harm to drivers, passengers and other road users, Carter suggested that it is more likely for cars to be hacked and stolen whilst stationary.

Consumer concerns

Connected and autonomous vehicles will be a new and potentially intimidating concept for many consumers. For those that have been in control of the vehicle for their entire life, it will be challenging to convince them to relinquish some, or all, of this control to a computer. However, Derek Viita, Senior Analyst for Strategy Analytics’ Automotive and Mobility UX team, explained that: “With the proliferation

of smartphone ownership and usage, consumers increasingly understand the privacy-convenience trade-off with such devices.” He stated that as a result of this, consumers’ privacy concerns tend to become “deprioritised” during the purchase process, though they are re-prioritised if a breach occurs.

Akshay Anan, Executive Analyst for Kelley Blue Book, told M:bility that consumers are typically not concerned about the risks of a cyber attack. “Potential cyber attacks can be a deterrent for consumers considering purchasing connected cars, but the reality is that most consumers do not think about the topic unless it is in the news. Consumers do expect to be safe from threats, though they are far more concerned about issues such as bad driving.”

Many consumers are inherently fearful of connected driving and at Arxan we want our programmes to reassure them

However, as automated vehicles become more common, the conversation around cyber security is expected to heat up; this could represent a barrier to sales, and challenge the automotive industry’s marketing efforts. “There is a lack of awareness from the consumer’s side and this is something that car manufacturers need to change,” said Carter. “It really is one of the biggest challenges for manufacturers today. Many consumers are inherently fearful of connected driving, and at Arxan we want our programmes to reassure them.”

Carter compares the situation currently facing automakers to that which PayPal faced when it launched two decades ago. “Everyone was afraid to use an internet service to make payments, but PayPal took the opportunity to start educating customers about the level of security they put into the solution,” he said. He believes that it was because of this reassurance that consumers finally began to develop trust in the service, and is something that Arxan plans to replicate.

Carter believes that in order to convince consumers to invest in connected and autonomous vehicles, automakers should be more vocal about the risk of cyber attacks, and the steps that are being taken to combat them. “Most automotive manufacturers have been silent on the issues of cyber crime today,” he explained. “While these companies are developing ways of protecting their vehicles, they really should be talking about it in order to gain the trust of the consumer.”

A collective effort: the fight back against cyber crime

In January 2017, Hyundai began working with Cisco, a leader in IT and security technology, to develop a cyber security platform for its connected cars.

In September 2016, Volkswagen set up its own company to develop cyber security protection called Cymotive. A month prior, a group of researchers had found a way to clone key fobs used for the wireless entry systems of millions of Volkswagen Group cars sold between 2000 and 2016.

As an increasing number of critical driving systems become automated – such as steering and braking – the threat to vehicle security will rise. Because of this, stakeholders will need systems in place that can react to threats as soon as they arise, instead of developing solutions after the fact. “The most important thing is to be able to detect issues quickly and react before they become a problem,” explained Carter. “Our application protection needs to be able to remediate an attack as this is what will ultimately minimise the impact and the losses incurred.”

National governments are also becoming involved in the fight against cyber crime. Both France and Germany have proposed parameters for how to collect and use data generated from smart vehicles in order to protect consumer privacy. In 2017, the UK government’s innovation agency, Innovate UK, issued funding to the 5*StarS consortium (formed by Horiba MIRA, Ricardo, Thatcham Research, Roke and Axillium Research), to launch the Automotive Cyber Security through Assurance project. Governments in the US, China and Singapore have also introduced policies to address cyber security risks. In the US, Secretary of Transportation Elaine Chao has voiced concern about the potential for autonomous vehicles to be hacked and weaponised.

In the autonomous space, so much attention has been put on the safety of connected vehicles, in terms of the car’s ability to detect hazards and so on, but we are missing the discussion around the security aspect of a vehicle

In 2017, the US Security and Privacy in Your (SPY) Car Act was introduced to enhance controls on cybersecurity and privacy to all vehicles. The bill dictates that all critical and noncritical software systems must be separated; it also requires vehicles to be able to instantly detect, stop and report attempts to steal driving data or take over vehicle controls.

However, Carter believes that administrations around the world are still not doing enough to combat cyber crime. “One of the biggest challenges is getting legislators to understand some of the concepts of how attacks take place, and so worldwide, we haven’t seen regulation on this,” he said. “In the autonomous driving space, so much attention has been put on safety, in terms of the car’s ability to detect hazards and so on, but we are missing the discussion around the security aspect of a vehicle.”

Although connected and autonomous features promise to improve safety and comfort, past hacks have raised questions about their vulnerability. Cyber security has long been a concern for those with any connected device, and as these optional extras become standard, automakers must ensure that new vehicles do not become a target for rogue cyber activity once they hit the road.

This article appeared in the Q1 2019 issue of M:bility | Magazine. Follow this link to download the full issue.