https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/footer-logo.png
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • IoT World 2020 News
  • Strategy
  • Special Reports
  • Galleries
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • IoT World 2020 News
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Video / Podcasts
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Strategic Partners
  • IOT World Events
    • Back
    • Internet of Things World: San Jose
    • IoT World 2020 News
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Architecture
  • Engineering/Development
  • Security
ioti.com

Security


iStock / graphicnoi

Security is a growing secure for car companies as wireless functionality increases.

A Short Guide to Preventing Cars from Being Hacked

The cybersecurity risk is growing as the IoT intersects with the automotive industry. But security tactics that have proven indispensable in the military and consumer electronics industry are also valid for the car industry, according to automotive connectivity pioneer Covisint.
  • Written by Brian Buntz
  • 1st June 2016

The advantage of having a human behind the wheel of a car is that, if your wireless connection goes down, you don’t get so confused that you don’t know what to do. “You might take the wrong route and have to ask for directions, but you can still maintain control over the vehicle. But if a connected car loses connectivity and doesn’t know where it is, it stops. It is done. It is not going to figure it out on its own,” says Dave Miller, Chief Security Officer of Covisint (Detroit) in an interview ahead of TU-Automotive Detroit. The company has itself developed a cloud platform to help automotive companies securely connecting vehicles in the cloud.

The security risks are increasing as new cars begin to feature a growing number of autonomous features. While autonomous driving technology is still its infancy, computers have already taken over an increasing number of functions in cars. There is, for instance, adaptive cruise control that automatically adjusts a car’s speed to keep pace with vehicles in front. And a growing number of automakers are rolling out cars with “steer-by-wire” functionality, which replaces the mechanical linkages between the steering wheel and the wheels with electric signals.

Last year, Wired rocked the automotive industry with an article and accompanying video demonstrating how easy it was to hack a Jeep Cherokee. The vehicle’s engine, brakes, windshield wipers, and stereo system were all capable of being controlled remotely via a cellular connection. Even the Jeep’s steering could be controlled under certain circumstances. The story ultimately led to a recall of 1.4 million vehicles to address a vulnerability with the vehicles’ dashboard computers. A March 2016 alert from the FBI and National Highway Traffic Safety Administration about the growing risk of remote security exploits in cars also mentioned the incident.

The risk of cybersecurity exploits is growing as automakers rush to add new connectivity features to cars while powerful companies like Google, Uber, Mercedes-Benz, Nissan, Audi, and BMW are working to make autonomous driving technology mainstream.

Here are some of the chief factors driving cybersecurity risk in cars in the near term. Where appropriate, specific advice is provided on how carmakers can address them:

1. Don't Prioritizes New Features over Security

Consumer demand is increasing for cars with sleek infotainment systems and connectivity options while they are apparently not overly worried about the possibility of their car being hacked. To be fair, it remains more of a theoretical threat at this point. “That is often the way a capitalist system works: you generate excitement about this new thing, and then you figure out the areas of vulnerability and find ways to fix it,” Miller says.

But white hat hackers have already demonstrated the potential risks, and it is possible that attacks like ransomware could hit the automotive industry soon. “I think in the short term, ransomware could be the most likely attack that we have to deal with. Think about an email that says: ‘your car is inactive, and you can’t use it ever again unless you pay me x amount of money,’” Miller says. In a way, car owners would be especially vulnerable to attacks like ransomware. “It is not like with my phone or even my computer where I can backup all of my pictures and files. I don’t know how you backup a car from that standpoint,” he adds.

2. Watch Out for Weak Security Links

When the cybersecurity experts Charlie Miller and Chris Valasek hacked a 2014 Jeep Cherokee for Wired, they did so after discovering a method to jump from the car’s infotainment bus directly to the command and control bus. Hackers use this general strategy all of the time on the Internet. (They explain how they did so in the video below.) “First, they attack the most vulnerable surface for the purpose of being able to attack more valuable things later. That is what happened with the RSA attack; it is what phishing attacks are,” Dave Miller says. “I convince you to do something that seems benign even though what I am getting is the next specific.”

For carmakers, this requires assuming that every access surface is can be attacked and thinking of ways to protect all of them. “You protect the low-level stuff to the same degree you protect the higher level stuff,” Miller says. “You never know what they are going to do and the methodology they are going to use if they are looking at a lower priority system to get to a higher priority system.”

3. Don't Be Lax with Permissions

Traditionally, carmakers have given people who connect to automobiles a level of access that is similar to root access on a computer. “If you log in to a vehicle’s data bus, you have traditionally had a kind of always-on access,” Miller says. “The car is essentially saying to the user: ‘if you can invoke me, then you must be OK.’”

Conversely, consider how the military delegates security clearances: “You are not going to have the person who is in charge of the USO decide where they the military is going to drop bombs,” Miller says. The level of access is limited or expanded based on the rank of the user.

“If you think about it, cars are similar. You have the infotainment system with one level of permissions, and then there is the command and control system that can do things like activating the brakes,” Miller says.

The automotive industry is starting to create a separation of duties for users that essentially says: ‘You can do these ten things, but you can’t do these other ten things.’

4. Scrutinize Aftermarket Modifications

One of the biggest cybersecurity risks for cars now is aftermarket modifications with some degree of connectivity or wireless functionality. We are familiar with the model where a car automatically pairs to your phone, where the level of control is limited to a Bluetooth connection. Google also has an automotive interface for Android. “Things like that are another thing to secure,” Miller says. “Even if you button down the vehicle and plug in a third-party item that is supposed to allow me to track my kids, that could have software that could be breached.”

Such third-party applications pose a challenge to big automakers because they have no control over them.

“We believe the solution for that is a model that, again, is permission based,” Miller says. A cloud-based security system could be used to verify requests from third-party applications and grant access to those that it verifies. An app could be programmed to provide a list with some things that it wants to do. “The cloud service could then monitor those and say: ‘I don’t understand why this service wants to activate the windshield wipers. It doesn’t make sense. I am not going to give it permission,’” Miller says. “A carmaker could also decide that there is a class or a specific third-party product is suspect. In a case like that, the cloud platform will just say: ‘nope, you don’t get permission to do anything. We think you are malware,’” he adds.

Covisint also recommends that carmakers consider giving some users—whether they be software-based or humans—connectivity only for a limited time period.

5. Consider Dynamic Software Updates

While over-the-air updates have made it easy for consumers to, say, update a smartphone, they are not practical for cars. “If you do it in a car, it becomes tough to decide what is good and bad,” Miller says. “That can be a very dangerous thing because you have opened the ability for the user to do anything.”

Again, the solution here could be to use a central cloud platform to verify pending software updates. “That enables you to do updates dynamically,” Miller says. “You can tell a user: ‘we have determined that this piece of hardware has the possibility of adversely affecting your vehicle experience. Are you really sure you want to install this?’”

Tesla is something of an outlier in the regard that they perform software updates to their vehicles. “This gave Tesla drivers the ability to have a downloaded update make their cars semi-autonomous. That is a pretty impressive upgrade to add to a car without any hardware updates,” Miller says.

But this functionality can also be used to patch security problems. “As vulnerabilities are found, they can say: ‘oh, we are going to increase security here,’” Miller says. “The challenge is that that is easier to do when you are selling $100,00 or $150,000 cars. How you turn that into something where you are selling half a million $30,000 cars is a different story. That becomes more difficult. We haven’t seen the new Tesla Model 3 specs yet but where did they skimp?”

6. Put Safety ahead of Cost

There are often rival camps within a carmaker. The first is charged with doing whatever it can to optimize performance and improve the safety of the company’s cars. The second group seeks to do whatever it can to cut costs to maximize profitability.

“I would argue that there are groups within OEMs that are unbelievably savvy about understanding exactly the issues and the possible architectures that could be set up to mitigate potential risks,” Miller says. “And then there is the group that is looking for the path of least cost.”

While the automotive industry has been steadily adding computing power to cars, it has largely done so with the smallest possible computing power to get the job done. “For quite a while, the automotive industry has been driven by a cost–benefit analysis that doesn’t thoroughly consider the long-term ramifications of the technology that is used,” Miller says. “We are seeing is a large change in that mentality, though. The conclusion is catching on that you have to secure all surfaces—even if it drives up costs.”

In the past, the U.S. government has stepped in when it sees security problems not being thoroughly investigated by auto makers. “They have come in and said in the past: ‘look, we are going to create regulations that say: ‘you need to do crash tests; and by this date, you have to have seatbelts; and by this date, you have to have airbags,’” Miller says.

In the future, the federal government could expand their oversight of automakers to include cybersecurity. “They might come up with a list of vehicles that they deem to be the safest after they attempted to break into them and these are the safest from an IT standpoint, and these are the least safe,” Miller says. “And they will come up with regulations that say that you have to do these standard things and prove that you have that ability.’”

Tags: Article Security Technologies

Related


  • IoT security
    Dell Sells RSA Security for More Than $2 Billion
    Dell announced that it will sell RSA Security for more than $2 billion and pursue its own security strategy with greater focus.
  • IoT security
    IoT Device Security: Risk Assessment, Hygiene Are Key
    As devices and data proliferate at the edge of the network, IT pros have encountered new challenges in securing enterprise IT systems.
  • Coronavirus
    Cybersecurity Crisis Management During the Coronavirus Pandemic
    Cybercriminals thrive on chaos, making cybersecurity crisis management vital. 
  • Data integration
    COVID-19 Driving Data Integration Projects in IoT
    Privacy concerns have limited IoT–related data integration projects in the past, but an emphasis on public health has led to increased data sharing. 

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • The Case for Citizen Engagement
  • Smart Cities Need Multiple Solutions
  • LYNX MOSA.ic™ Avionic Platform (Advantage w/ Intel)
  • LynxSecure Datasheet

News

View all

Private LTE Market Projected to Grow to $13 Billion

12th January 2021

IoT World Announces 2021 IoT World Advisory Board

9th December 2020

White Papers

View all

Smart Manufacturing With IoT

4th December 2020

Ensuring Safety & Security of Pharmaceutical Supply Chain: A Case Study

4th December 2020

Special Reports

View all

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

Webinars

View all

From Insights to Action: Best Practices for Implementing Connected Device Security

15th December 2020

Real Cyber Threats and Best Practices Cyber Security Strategy and Solutions for Smart Manufacturing

1st December 2020

Galleries

View all

Top IoT Trends to Watch in 2020

26th January 2020

Five of the Most Promising Digital Health Technologies

14th January 2020

Industry Perspectives

View all

IoT Spending Holds Firm — Tempered by Dose of ‘IoT Pragmatism’

1st December 2020

The Great IoT Connectivity Lockdown

11th May 2020

Events

View all

IoT at the Edge

17th March 2021

Embedded IoT World 2021

28th April 2021 - 29th April 2021

IoT World 2021

2nd November 2021 - 4th November 2021

Twitter

IoTWorldToday, IoTWorldSeries

At #CES2021, @verizon touts #5Gconnectivit as the key to digitization in pandemic times. But experts say there are… twitter.com/i/web/status/1…

12th January 2021
IoTWorldToday, IoTWorldSeries

The #privateLTE market is due to grown, given increased needs for #networkperformance and #networkbandwidth.… twitter.com/i/web/status/1…

12th January 2021
IoTWorldToday, IoTWorldSeries

As #IoTdevices and #IoTdata proliferate at the edge of the network, IT pros need to take these steps for… twitter.com/i/web/status/1…

11th January 2021

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X