https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


iStock / graphicnoi

Security is a growing secure for car companies as wireless functionality increases.

A Short Guide to Preventing Cars from Being Hacked

The cybersecurity risk is growing as the IoT intersects with the automotive industry. But security tactics that have proven indispensable in the military and consumer electronics industry are also valid for the car industry, according to automotive connectivity pioneer Covisint.
  • Written by Brian Buntz
  • 1st June 2016

The advantage of having a human behind the wheel of a car is that, if your wireless connection goes down, you don’t get so confused that you don’t know what to do. “You might take the wrong route and have to ask for directions, but you can still maintain control over the vehicle. But if a connected car loses connectivity and doesn’t know where it is, it stops. It is done. It is not going to figure it out on its own,” says Dave Miller, Chief Security Officer of Covisint (Detroit) in an interview ahead of TU-Automotive Detroit. The company has itself developed a cloud platform to help automotive companies securely connecting vehicles in the cloud.

The security risks are increasing as new cars begin to feature a growing number of autonomous features. While autonomous driving technology is still its infancy, computers have already taken over an increasing number of functions in cars. There is, for instance, adaptive cruise control that automatically adjusts a car’s speed to keep pace with vehicles in front. And a growing number of automakers are rolling out cars with “steer-by-wire” functionality, which replaces the mechanical linkages between the steering wheel and the wheels with electric signals.

Last year, Wired rocked the automotive industry with an article and accompanying video demonstrating how easy it was to hack a Jeep Cherokee. The vehicle’s engine, brakes, windshield wipers, and stereo system were all capable of being controlled remotely via a cellular connection. Even the Jeep’s steering could be controlled under certain circumstances. The story ultimately led to a recall of 1.4 million vehicles to address a vulnerability with the vehicles’ dashboard computers. A March 2016 alert from the FBI and National Highway Traffic Safety Administration about the growing risk of remote security exploits in cars also mentioned the incident.

The risk of cybersecurity exploits is growing as automakers rush to add new connectivity features to cars while powerful companies like Google, Uber, Mercedes-Benz, Nissan, Audi, and BMW are working to make autonomous driving technology mainstream.

Here are some of the chief factors driving cybersecurity risk in cars in the near term. Where appropriate, specific advice is provided on how carmakers can address them:

1. Don't Prioritizes New Features over Security

Consumer demand is increasing for cars with sleek infotainment systems and connectivity options while they are apparently not overly worried about the possibility of their car being hacked. To be fair, it remains more of a theoretical threat at this point. “That is often the way a capitalist system works: you generate excitement about this new thing, and then you figure out the areas of vulnerability and find ways to fix it,” Miller says.

But white hat hackers have already demonstrated the potential risks, and it is possible that attacks like ransomware could hit the automotive industry soon. “I think in the short term, ransomware could be the most likely attack that we have to deal with. Think about an email that says: ‘your car is inactive, and you can’t use it ever again unless you pay me x amount of money,’” Miller says. In a way, car owners would be especially vulnerable to attacks like ransomware. “It is not like with my phone or even my computer where I can backup all of my pictures and files. I don’t know how you backup a car from that standpoint,” he adds.

2. Watch Out for Weak Security Links

When the cybersecurity experts Charlie Miller and Chris Valasek hacked a 2014 Jeep Cherokee for Wired, they did so after discovering a method to jump from the car’s infotainment bus directly to the command and control bus. Hackers use this general strategy all of the time on the Internet. (They explain how they did so in the video below.) “First, they attack the most vulnerable surface for the purpose of being able to attack more valuable things later. That is what happened with the RSA attack; it is what phishing attacks are,” Dave Miller says. “I convince you to do something that seems benign even though what I am getting is the next specific.”

For carmakers, this requires assuming that every access surface is can be attacked and thinking of ways to protect all of them. “You protect the low-level stuff to the same degree you protect the higher level stuff,” Miller says. “You never know what they are going to do and the methodology they are going to use if they are looking at a lower priority system to get to a higher priority system.”

3. Don't Be Lax with Permissions

Traditionally, carmakers have given people who connect to automobiles a level of access that is similar to root access on a computer. “If you log in to a vehicle’s data bus, you have traditionally had a kind of always-on access,” Miller says. “The car is essentially saying to the user: ‘if you can invoke me, then you must be OK.’”

Conversely, consider how the military delegates security clearances: “You are not going to have the person who is in charge of the USO decide where they the military is going to drop bombs,” Miller says. The level of access is limited or expanded based on the rank of the user.

“If you think about it, cars are similar. You have the infotainment system with one level of permissions, and then there is the command and control system that can do things like activating the brakes,” Miller says.

The automotive industry is starting to create a separation of duties for users that essentially says: ‘You can do these ten things, but you can’t do these other ten things.’

4. Scrutinize Aftermarket Modifications

One of the biggest cybersecurity risks for cars now is aftermarket modifications with some degree of connectivity or wireless functionality. We are familiar with the model where a car automatically pairs to your phone, where the level of control is limited to a Bluetooth connection. Google also has an automotive interface for Android. “Things like that are another thing to secure,” Miller says. “Even if you button down the vehicle and plug in a third-party item that is supposed to allow me to track my kids, that could have software that could be breached.”

Such third-party applications pose a challenge to big automakers because they have no control over them.

“We believe the solution for that is a model that, again, is permission based,” Miller says. A cloud-based security system could be used to verify requests from third-party applications and grant access to those that it verifies. An app could be programmed to provide a list with some things that it wants to do. “The cloud service could then monitor those and say: ‘I don’t understand why this service wants to activate the windshield wipers. It doesn’t make sense. I am not going to give it permission,’” Miller says. “A carmaker could also decide that there is a class or a specific third-party product is suspect. In a case like that, the cloud platform will just say: ‘nope, you don’t get permission to do anything. We think you are malware,’” he adds.

Covisint also recommends that carmakers consider giving some users—whether they be software-based or humans—connectivity only for a limited time period.

5. Consider Dynamic Software Updates

While over-the-air updates have made it easy for consumers to, say, update a smartphone, they are not practical for cars. “If you do it in a car, it becomes tough to decide what is good and bad,” Miller says. “That can be a very dangerous thing because you have opened the ability for the user to do anything.”

Again, the solution here could be to use a central cloud platform to verify pending software updates. “That enables you to do updates dynamically,” Miller says. “You can tell a user: ‘we have determined that this piece of hardware has the possibility of adversely affecting your vehicle experience. Are you really sure you want to install this?’”

Tesla is something of an outlier in the regard that they perform software updates to their vehicles. “This gave Tesla drivers the ability to have a downloaded update make their cars semi-autonomous. That is a pretty impressive upgrade to add to a car without any hardware updates,” Miller says.

But this functionality can also be used to patch security problems. “As vulnerabilities are found, they can say: ‘oh, we are going to increase security here,’” Miller says. “The challenge is that that is easier to do when you are selling $100,00 or $150,000 cars. How you turn that into something where you are selling half a million $30,000 cars is a different story. That becomes more difficult. We haven’t seen the new Tesla Model 3 specs yet but where did they skimp?”

6. Put Safety ahead of Cost

There are often rival camps within a carmaker. The first is charged with doing whatever it can to optimize performance and improve the safety of the company’s cars. The second group seeks to do whatever it can to cut costs to maximize profitability.

“I would argue that there are groups within OEMs that are unbelievably savvy about understanding exactly the issues and the possible architectures that could be set up to mitigate potential risks,” Miller says. “And then there is the group that is looking for the path of least cost.”

While the automotive industry has been steadily adding computing power to cars, it has largely done so with the smallest possible computing power to get the job done. “For quite a while, the automotive industry has been driven by a cost–benefit analysis that doesn’t thoroughly consider the long-term ramifications of the technology that is used,” Miller says. “We are seeing is a large change in that mentality, though. The conclusion is catching on that you have to secure all surfaces—even if it drives up costs.”

In the past, the U.S. government has stepped in when it sees security problems not being thoroughly investigated by auto makers. “They have come in and said in the past: ‘look, we are going to create regulations that say: ‘you need to do crash tests; and by this date, you have to have seatbelts; and by this date, you have to have airbags,’” Miller says.

In the future, the federal government could expand their oversight of automakers to include cybersecurity. “They might come up with a list of vehicles that they deem to be the safest after they attempted to break into them and these are the safest from an IT standpoint, and these are the least safe,” Miller says. “And they will come up with regulations that say that you have to do these standard things and prove that you have that ability.’”

Tags: Article Security Technologies

Related


  • IoT security
    Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
    IoT security pros can benefit from zero-trust security to authenticate rogue devices that try to connect to a network. Zero trust should be the hallmark of your IoT strategy.
  • 3d rendering of human brain on technology background
    AI Ups the Ante for IoT Cybersecurity
    Security providers in IT and OT have implemented AI, ML and other advanced technologies to make systems smarter than malicious attackers.
  • IoT security
    Protecting Your Network Against Ripple20 Vulnerabilities
    Early this year, Ripple20 wrought havoc on numerous IoT devices, given vulnerable third-party code. Here are ways to prevent your organization from the fallout.
  • IoT security
    IoT Security Trends, 2021: COVID-19 Casts Long Shadow
    While some IoT security trends in 2021 will continue trends from 2019 and 2020, COVID-19 has brought some new threats to the fore.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • LYNX MOSA.ic™ Avionic Platform (Advantage w/ Intel)
  • COVID-19 Driving Data Integration Projects in IoT
  • Intro to LynxSecure
  • Can Privacy-Preserving Machine Learning Overcome Data-Sharing Worries?

News

View all

Webex Collaboration Banks on Hybrid Workplace Model at Cisco Live 2021

2nd April 2021

Cisco Enlists Networking Automation, CX Cloud in COVID-19 Response

31st March 2021

White Papers

View all

Telehealth and COVID Infographic

30th March 2021

Medical Supply Chain Management with Smart Devices and Sensors

30th March 2021

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

Real-Time Analysis of Driver Behavior Using Machine Learning

13th May 2021

Weber’s Journey: How a Top Grill Maker Serves Up Connected Cooking

25th February 2021

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

Embedded IoT World 2021

28th April 2021 - 29th April 2021

The Virtual Industrial AI Summit

29th June 2021 - 30th June 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

How Smart Environments Will Take Shape Post-COVID-19 dlvr.it/RxfPG2 https://t.co/Y6DMWxZf9S

14th April 2021
IoTWorldToday, IoTWorldSeries

IoT Enterprise Deployments Continue Apace, Despite COVID-19 dlvr.it/RxWwsS https://t.co/BSkxdf17vs

12th April 2021
IoTWorldToday, IoTWorldSeries

🥳Happy #IoTDay! How are you celebrating? We're giving $50 off All Access Passes to join our upcoming virtual event,… twitter.com/i/web/status/1…

9th April 2021
IoTWorldToday, IoTWorldSeries

🎉 Announcing #EIOTWORLD sponsor, @InnoPhaseinc — a fabless wireless semiconductor platform company specializing in… twitter.com/i/web/status/1…

8th April 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X