I recently bought a new car with all the bells and whistles. It warns me if I stray out of my lane. It warns me if there is a car in my blind spot. It has adaptive cruise control that slows down if a car pulls in front of me. When I back up, it alerts me of cross traffic, even pedestrians and dogs. It monitors road conditions and automatically enables all-wheel drive if roads are wet or conditions are cold or icy. And that’s just the start. It has collision detection and automatic braking, and a fully connected entertainment and communications system. Good grief, the windshield wipers even turn on automatically when it starts to rain.
The technology in today’s vehicles is amazing. A modern car may have as many as a hundred electronic control units. When you add satellite infotainment systems with Bluetooth and voice commands, and a 4G LTE WiFi hotspot in your car, these vehicles are not only incredibly connected, they are also increasingly vulnerable.
Not surprisingly, attacks on your car’s sophisticated computer systems are becoming a serious threat. Last year, hacking researchers demonstrated how they could remotely hijack control of a connected vehicle while it was actually cruising down an interstate. The attack came via a vulnerability the researchers found in its Internet-connected infotainment system. Through that point of entry, they were able to access other systems within the car, including the transmission and braking system, with alarming results. The demonstration was dramatic proof that our vehicles are now under serious threat of cyber attack, and led to the recall of 1.4 million vehicles in the United States to install a software update to patch the vulnerability.
And the potential attack surface is growing. Soon, cars will be able to do things like automatically pay for fuel when you pull up to a pump, negotiate online shopping services, check and read your email to you, and sync with your calendar to remind you of conference calls and events. Individual passengers will be able to each have their own, separate WiFi connection to the Internet to stream movies, browse social media, check their banking information, and shop online.
The car I drive is really only a generation or two away from being fully driverless. What happens then, when cars on the road are dynamically sharing road conditions, negotiating traffic, and responding to intelligent traffic systems designed to move traffic more efficiently through urban environments? The potential for a catastrophic result from a well-planned attack seems high, and in addition to the loss of life and property, could stall technological advancement for years.
Securing complex systems like these is no easy task. Once you connect your car to a 4G or 5G network, how do you secure that connection? How do you incorporate security solutions throughout the car that ensure your passengers, and their data, are protected, especially from zero-day attacks? What are the security implications once automakers become their own carriers, providing personalized connectivity services to their cars?
Last year, Senators Ed Markey and Richard Blumenthal introduced new legislation for the National Highway Safety and Transportation Administration and the Federal Trade Commission to create new security and privacy standards that automakers would be required to meet for cars sold in the U.S. The standards would apply to both how companies defend their vehicles from hackers, as well as how they safeguard any personal information the vehicles collect, like driving records.
While the legislation, known as the “Security and Privacy in Your Car Act of 2015” (or the “SPY Car Act of 2015”) is a good start, this approach has its challenges, not the least of which is that technology is advancing at a rate that the intentionally slow process of legislation will never be able to keep up with. Laws will either be too specific, and therefore not address the latest threats and challenges, or so vague as to allow a lot of wiggle room in terms of developing appropriate safeguards.
So the big question is, what can we do now? I suggest that a good first step would be for auto manufacturers to begin to partner with security vendors to design safer vehicles. Securing a car should not be much different from securing a modern network – harden your access points, monitor and inspect traffic for malware and unauthorized commands, segment the network into security zones, secure communications, and share global and local threat intelligence. Everything else in a car is branded, from XM radios to Bose speakers to designer interiors. Why not have a vehicle secured by a security engineering company that does this sort of thing as their primary business?
Our love affair with the car shows no signs of slowing down. And as it becomes even more integrated with our online lives, including the advent of what I refer to as Transportation as a Service, we are exposing ourselves to more risks than ever. So, what do we do next?
These are important discussions we as consumers, and as a security industry, need to be having right now.
