https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
    • Back
    • Embedded IoT World (Part of DesignCon) 2022
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


iStock / graphicnoi

Security is a growing secure for car companies as wireless functionality increases.

A Short Guide to Preventing Cars from Being Hacked

The cybersecurity risk is growing as the IoT intersects with the automotive industry. But security tactics that have proven indispensable in the military and consumer electronics industry are also valid for the car industry, according to automotive connectivity pioneer Covisint.
  • Written by Brian Buntz
  • 1st June 2016

The advantage of having a human behind the wheel of a car is that, if your wireless connection goes down, you don’t get so confused that you don’t know what to do. “You might take the wrong route and have to ask for directions, but you can still maintain control over the vehicle. But if a connected car loses connectivity and doesn’t know where it is, it stops. It is done. It is not going to figure it out on its own,” says Dave Miller, Chief Security Officer of Covisint (Detroit) in an interview ahead of TU-Automotive Detroit. The company has itself developed a cloud platform to help automotive companies securely connecting vehicles in the cloud.

The security risks are increasing as new cars begin to feature a growing number of autonomous features. While autonomous driving technology is still its infancy, computers have already taken over an increasing number of functions in cars. There is, for instance, adaptive cruise control that automatically adjusts a car’s speed to keep pace with vehicles in front. And a growing number of automakers are rolling out cars with “steer-by-wire” functionality, which replaces the mechanical linkages between the steering wheel and the wheels with electric signals.

Last year, Wired rocked the automotive industry with an article and accompanying video demonstrating how easy it was to hack a Jeep Cherokee. The vehicle’s engine, brakes, windshield wipers, and stereo system were all capable of being controlled remotely via a cellular connection. Even the Jeep’s steering could be controlled under certain circumstances. The story ultimately led to a recall of 1.4 million vehicles to address a vulnerability with the vehicles’ dashboard computers. A March 2016 alert from the FBI and National Highway Traffic Safety Administration about the growing risk of remote security exploits in cars also mentioned the incident.

The risk of cybersecurity exploits is growing as automakers rush to add new connectivity features to cars while powerful companies like Google, Uber, Mercedes-Benz, Nissan, Audi, and BMW are working to make autonomous driving technology mainstream.

Here are some of the chief factors driving cybersecurity risk in cars in the near term. Where appropriate, specific advice is provided on how carmakers can address them:

1. Don't Prioritizes New Features over Security

Consumer demand is increasing for cars with sleek infotainment systems and connectivity options while they are apparently not overly worried about the possibility of their car being hacked. To be fair, it remains more of a theoretical threat at this point. “That is often the way a capitalist system works: you generate excitement about this new thing, and then you figure out the areas of vulnerability and find ways to fix it,” Miller says.

But white hat hackers have already demonstrated the potential risks, and it is possible that attacks like ransomware could hit the automotive industry soon. “I think in the short term, ransomware could be the most likely attack that we have to deal with. Think about an email that says: ‘your car is inactive, and you can’t use it ever again unless you pay me x amount of money,’” Miller says. In a way, car owners would be especially vulnerable to attacks like ransomware. “It is not like with my phone or even my computer where I can backup all of my pictures and files. I don’t know how you backup a car from that standpoint,” he adds.

2. Watch Out for Weak Security Links

When the cybersecurity experts Charlie Miller and Chris Valasek hacked a 2014 Jeep Cherokee for Wired, they did so after discovering a method to jump from the car’s infotainment bus directly to the command and control bus. Hackers use this general strategy all of the time on the Internet. (They explain how they did so in the video below.) “First, they attack the most vulnerable surface for the purpose of being able to attack more valuable things later. That is what happened with the RSA attack; it is what phishing attacks are,” Dave Miller says. “I convince you to do something that seems benign even though what I am getting is the next specific.”

For carmakers, this requires assuming that every access surface is can be attacked and thinking of ways to protect all of them. “You protect the low-level stuff to the same degree you protect the higher level stuff,” Miller says. “You never know what they are going to do and the methodology they are going to use if they are looking at a lower priority system to get to a higher priority system.”

3. Don't Be Lax with Permissions

Traditionally, carmakers have given people who connect to automobiles a level of access that is similar to root access on a computer. “If you log in to a vehicle’s data bus, you have traditionally had a kind of always-on access,” Miller says. “The car is essentially saying to the user: ‘if you can invoke me, then you must be OK.’”

Conversely, consider how the military delegates security clearances: “You are not going to have the person who is in charge of the USO decide where they the military is going to drop bombs,” Miller says. The level of access is limited or expanded based on the rank of the user.

“If you think about it, cars are similar. You have the infotainment system with one level of permissions, and then there is the command and control system that can do things like activating the brakes,” Miller says.

The automotive industry is starting to create a separation of duties for users that essentially says: ‘You can do these ten things, but you can’t do these other ten things.’

4. Scrutinize Aftermarket Modifications

One of the biggest cybersecurity risks for cars now is aftermarket modifications with some degree of connectivity or wireless functionality. We are familiar with the model where a car automatically pairs to your phone, where the level of control is limited to a Bluetooth connection. Google also has an automotive interface for Android. “Things like that are another thing to secure,” Miller says. “Even if you button down the vehicle and plug in a third-party item that is supposed to allow me to track my kids, that could have software that could be breached.”

Such third-party applications pose a challenge to big automakers because they have no control over them.

“We believe the solution for that is a model that, again, is permission based,” Miller says. A cloud-based security system could be used to verify requests from third-party applications and grant access to those that it verifies. An app could be programmed to provide a list with some things that it wants to do. “The cloud service could then monitor those and say: ‘I don’t understand why this service wants to activate the windshield wipers. It doesn’t make sense. I am not going to give it permission,’” Miller says. “A carmaker could also decide that there is a class or a specific third-party product is suspect. In a case like that, the cloud platform will just say: ‘nope, you don’t get permission to do anything. We think you are malware,’” he adds.

Covisint also recommends that carmakers consider giving some users—whether they be software-based or humans—connectivity only for a limited time period.

5. Consider Dynamic Software Updates

While over-the-air updates have made it easy for consumers to, say, update a smartphone, they are not practical for cars. “If you do it in a car, it becomes tough to decide what is good and bad,” Miller says. “That can be a very dangerous thing because you have opened the ability for the user to do anything.”

Again, the solution here could be to use a central cloud platform to verify pending software updates. “That enables you to do updates dynamically,” Miller says. “You can tell a user: ‘we have determined that this piece of hardware has the possibility of adversely affecting your vehicle experience. Are you really sure you want to install this?’”

Tesla is something of an outlier in the regard that they perform software updates to their vehicles. “This gave Tesla drivers the ability to have a downloaded update make their cars semi-autonomous. That is a pretty impressive upgrade to add to a car without any hardware updates,” Miller says.

But this functionality can also be used to patch security problems. “As vulnerabilities are found, they can say: ‘oh, we are going to increase security here,’” Miller says. “The challenge is that that is easier to do when you are selling $100,00 or $150,000 cars. How you turn that into something where you are selling half a million $30,000 cars is a different story. That becomes more difficult. We haven’t seen the new Tesla Model 3 specs yet but where did they skimp?”

6. Put Safety ahead of Cost

There are often rival camps within a carmaker. The first is charged with doing whatever it can to optimize performance and improve the safety of the company’s cars. The second group seeks to do whatever it can to cut costs to maximize profitability.

“I would argue that there are groups within OEMs that are unbelievably savvy about understanding exactly the issues and the possible architectures that could be set up to mitigate potential risks,” Miller says. “And then there is the group that is looking for the path of least cost.”

While the automotive industry has been steadily adding computing power to cars, it has largely done so with the smallest possible computing power to get the job done. “For quite a while, the automotive industry has been driven by a cost–benefit analysis that doesn’t thoroughly consider the long-term ramifications of the technology that is used,” Miller says. “We are seeing is a large change in that mentality, though. The conclusion is catching on that you have to secure all surfaces—even if it drives up costs.”

In the past, the U.S. government has stepped in when it sees security problems not being thoroughly investigated by auto makers. “They have come in and said in the past: ‘look, we are going to create regulations that say: ‘you need to do crash tests; and by this date, you have to have seatbelts; and by this date, you have to have airbags,’” Miller says.

In the future, the federal government could expand their oversight of automakers to include cybersecurity. “They might come up with a list of vehicles that they deem to be the safest after they attempted to break into them and these are the safest from an IT standpoint, and these are the least safe,” Miller says. “And they will come up with regulations that say that you have to do these standard things and prove that you have that ability.’”

Tags: Article Security Technologies

Related


  • IoT Security Firm to Acquire Medical Security Startup
    Claroty is set to acquire Medigate to grow its foothold in securing the Internet of Medical Things
  • Ransomware Attack Could Impact Paychecks
    The Kronos ransomware attack affected the company’s private cloud service over the weekend, knocking it offline just before the holidays
  • Image shows an abstract digital big data concept.
    BotenaGo Malware Targets Millions of IoT Devices
    AT&T Alien Labs identified the malware that has left millions of IoT devices exposed.
  • IoT Startup Raises $10M
    Platform aims to bolster network security with automated device configurations and visibility.

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Content

  • IoT Device Security at the Edge Poses Unique Challenges
  • Zero-Trust Security for IoT: Establishing Rigorous Device Defenses
  • AI Ups the Ante for IoT Cybersecurity
  • Protecting Your Network Against Ripple20 Vulnerabilities

Roundups

View all

IoT Deals, Partnerships Roundup: Google, Arm, Senet and More

26th May 2022

IoT Product Roundup: PTC, Nokia, Arm and More

19th May 2022

IoT Deals, Partnerships Roundup: Intel, Nauto, Helium and more

14th May 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Dylan Kennedy of EMQ

Embedded IoT World 2022: Dylan Kennedy of EMQ

Dylan Kennedy, EMQ’s VP of global operations, sat down with Chuck Martin at Embedded IoT World 2022.

Embedded IoT World 2022: Omdia’s Sang Oh Talks Vehicle Chip Shortage

Omdia’s automotive semiconductor analyst sits down with Chuck Martin at this year’s event

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

This white paper by @braincubeEn explores how the changes of 2020 and 2021 are shaping the future of #IIoT. Learn w… twitter.com/i/web/status/1…

27th May 2022
IoTWorldToday, IoTWorldSeries

UK Investing $50M for Self-Driving Buses, Vans dlvr.it/SR9QlJ https://t.co/sQdX2tJY4d

27th May 2022
IoTWorldToday, IoTWorldSeries

Dubai to Use Satellite IoT Terminals for Utilities Industry dlvr.it/SR9NQB https://t.co/GXf9Gx5RCw

27th May 2022
IoTWorldToday, IoTWorldSeries

@BerkshireGrey’s AI-powered next-gen warehouse robot is helping retailers by cutting times for order fulfillment, u… twitter.com/i/web/status/1…

27th May 2022
IoTWorldToday, IoTWorldSeries

Access the insights on IoT deployments, emerging tech and new applications now. Sign up to our dedicated… twitter.com/i/web/status/1…

27th May 2022
IoTWorldToday, IoTWorldSeries

Survey finds there's a lot of on-campus affinity for @StarshipRobots delivery #robots. dlvr.it/SR79YR https://t.co/73EaFPR6ft

26th May 2022
IoTWorldToday, IoTWorldSeries

That latest #IoT deals and partnerships news from @Google, @RedHat, @Arm, @SierraWireless, @ItronInc and more!… twitter.com/i/web/status/1…

26th May 2022
IoTWorldToday, IoTWorldSeries

@Ford is testing #geofencing tech that automatically cuts vehicle speeds. iotworldtoday.com/2022/05/26/for…

26th May 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X