The National Highway Traffic Safety Administration and the FBI have issued a joint bulletin on the risks of cyber threats to increasingly connected cars.
After high profile successful hacks on the Jeep Cherokee, BMW and the Chevrolet Volt, the issue of cyber security for connected and automonous vehicles has resulted in raised awareness among the consumer public as well as the motor industry. To reinforce the message that security measures for vehicles must be taken seriously, the FBI and the National Highway Traffic Safety Administration (NHTSA) have issued a joint bulletin to warn the automotive industry of the increasing level of vulnerability of vehicles to hacking attacks.
Online vehicle software updates were highlighted as being of particular concern and the levels of attack were also highlighted as being anything from non-safety related attacks for commercial gain through to safety critical attacks that could potentially relinquish vehicular control to criminal attackers.
The communication and IT systems in modern connected vehicles are complex and combine different technologies and protocols including mobile networks, wireless systems, hard-wired bus architecture and others. As an integral part of the Internet of Things (IoT), connected cars need a full, layered approach to achieving security.
One such layer is that of identity management, a term used for the verification of the authenticity of a person or “thing” on the IoT and their authority to access parts of the connected car system.
Commenting on the requirement for robust access management, Simon Moffat, the EMEA Director of Advanced Customer Engineering at identity management company ForgeRock told us, “The more advanced car manufacturers are already incorporating secure digital identity and access management technologies in their cars to secure their connected navigation and onboard information systems through multi-factor authentication.”
Moffat encourages consumers to examine the IT content of potential vehicles that they’re looking to purchase and test the knowledge of the dealer on the security aspects of such content.
According to global information security company, Intel Security, the industry needs regulation on matters of IT security to ensure that ways of securing vehicles are adopted uniformly and in a way that provides maximum protection.
Referring to recent announcements in the UK on the development of driverless cars, Intel Security points out that there is a corresponding need to define regulatory changes to mitigate the risks of cyber attacks on such vehicles.
Commenting on the need for such changes, Intel Security’s EMEA CTO, Raj Samani told us that hackers tend to react very quickly to new developments in technology by identifying vulnerabilities and potential attack vectors. The potential for these hackers to gain control of connected vehicles is therefore a very real threat.
“We are yet to see this translate into actual attacks, however as with any crime, it is just a matter of requiring a motive. If driverless and connected vehicles are to become commonplace in the UK, it is just a matter of time before attackers find a means to use this as an opportunity to fulfil one of these motives,” Samani told us.
Raj Samani went on to explain Intel’s development of the Automotive Security Review Board (ASRB), a collaboration of security and automotive industry talent who work together to stay one step ahead of cybercriminals and secure vulnerabilities before hackers have the opportunity to turn this potential risk into a dangerous reality.
“It’s crucial that security is a key consideration right from the manufacturing stage of connected vehicles and the ASRB welcomes input and collaboration with the government to advise best practices for tackling this issue together,” Samani concluded.
Addressing the skill balance
There is no doubt that cyber criminals have the right combination of expertise, opportunity and motivation to carry out attacks on connected vehicles if there is sufficient motive for them to do so. However, such skills aren’t balanced by the general group of consumers or indeed the industry that needs protection. Always one step ahead, the perpetrators of cyber crime need to be challenged with a concerted defence from within the industry supplying the goods that are being attacked.
Commenting on this lack of expertise, the prpl Foundation’s chief security strategist, Cesare Garlati explained, “The lack of subject matter expertise with mechanical and electrical engineers is leaving systems wide open to attack. While it’s unfair to expect them to shoulder this burden, it is also unfair to place the onus squarely on the consumer who is likely to know even less about security. This is something which vendors, regulators and manufacturers must carefully consider as the evolution of connected cars continues.”