connected car security

Average reading time 10 minutes

For a century, motorists had one main security concern: that a thief would smash the window and steal the car.

Now, they have other concerns.

In the emerging connected car era, thieves don’t need to pick locks to take control of the vehicle. They don’t even need to be physically present. And they can do more than just steal the car.

Think about it for a minute.

They can, in theory, disable key functions like steering or brakes, or even use the microphone to listen to conversations.

Let's dig in.

 

The connected car hack

The connected car hack is the regrettable flipside of the digitization of the motor industry: if your car is becoming another IoT device, it can be hacked like any other IoT device. 

Indeed, connected car cybersecurity threat is real enough for even the FBI to make a statement about it.

In 2016 the FBI said: “The industry will likely face a range of malicious activity in the near future as the data collected by connected and autonomous vehicles become a target for nation and state and financially motivated actors.”

 

 

Though terrorism and sabotage are possible, experts believe financial crime is far more likely.

Andy Davis, Transport Cyber Security Practice Director at NCC Group, says: “Media reports tend to focus on the physical attacks, but most cyberattacks come from organized crime groups – and they want to make money, not kill the general public.”

Car hackers can be expected to use the same methods they use on PC users.

Ransomware, for example.

Here, criminals will hack into a vehicle, disable it, and then demand money from drivers or manufacturers to relinquish control. Davis says: “You get in the car and a message on the infotainment system says: ‘Send money if you want your car to start’. I can also see hackers stealing ID and card details from cars to sell on the black market.

Why is this?

What compounds the car cybersecurity threat is the sheer number of entry points into the vehicle. Criminals can sneak in via telematics systems, or even the radio.

They can also hack into the many external devices – phones, key cards – that drivers link to the car’s electronic control unit (ECU).

Regrettably, car cybersecurity crimes are now rising.

According to Upstream’s Automotive Cybersecurity Report, annual incidents went up 605% from 2016 to 2019.

The top three attack vectors were :

  • keyless entry systems (30%),
  • backend servers (27%),
  • mobile apps (13%).
     

Re-thinking connected car security

So without question, the connected car hack is a huge challenge for the motor industry.

It demands a mental re-think from companies that have traditionally been unaffected by cybercrime.

Indeed, a 2019 study of industry security practitioners by the Ponemon Institute found just 10% of companies currently have an established cybersecurity team.

The challenges around security, and the reputational damage if something goes wrong, are inspiring partnerships between car manufacturers and best-in-class industry leaders

So how can the industry fight back?

According to Deloitte, specialists agree the starting point should be ‘security by design’.

Car manufacturers need to build in security from the start, rather than patch ‘holes’ as they arise. This will require multi-party collaboration, given the hundreds of suppliers producing parts for today’s cars.

The process will start with securing the connected car’s firmware and software applications (using public key infrastructure, or PKI, and other tools).

But it’s also critical to encrypt the data transmitted to and from the car, both at rest and in motion.

There's more.

Of course, this security must extend across the life of the vehicle.

Manufacturers should be able to disable connected services during shipping, for example, and can deliver over-the-air software updates to prevent data breaches. 

 

Connected car cybersecurity and the future

The good news is that carmakers are working hard to address the growing threat against connected car security.

They are teaming up with security experts and investing in new technology. Last year, for example, a consortium of car manufacturers invested US$30 million in car cybersecurity startup Upstream.

Of course, it's not just manufacturers that need to wise up. Motorists must take responsibility too. After all, no end of technical protection will help if hackers can just use social engineering to dupe the connected car driver.

In 2016, security firm Promon proved this when it created a free WiFi hotspot and asked drivers to install an app on their phones. The app was infected with malware and gave hackers the ability to take control of the car.

And what persuaded the drivers to install such a dangerous app?

A free burger.
 

Related contents to vehicle cybersecurity

 

iot-end-to-end-security-for-connected-vehicules.png

End-to-End Cybersecurity for Connected Vehicles (Brochure - Sept 2020):

Cybersecurity is complex and quickly evolving. Leveraging advanced and proven expertise in digital security and IoT, the Thales Trusted Key Manager provides car makers with support for digital transformation while ensuring the end-to-end security of the automotive ecosystem.

Read more