Connected Cars: Going Too Fast?
In its haste to push more connected cars to market, the automotive industry may be overlooking security. According to VDC Research, almost one-third of all new cars sold in 2015 had Internet connectivity in the form of embedded cellular modems, smartphone interfaces or a combination of the two.
But the advisory firm estimated that by 2020, that proportion will rise to more than three-quarters, with some 220 million such connected cars on the road worldwide. Additionally, it stated that new vehicles sold in 2015 had an average of more than 30 microprocessors, yet less than 2 percent of those microprocessors included hardware security features.
Security Flaws and Vulnerabilities in Connected Cars
In recent years, a number of security flaws have been identified, from the remote unlocking of car doors to hacks that can impact dashboard functions, take control of steering and engage or disable brakes. While it was originally believed that remote hacks would only be possible within a short range — within the range of a cell tower, for example — there’s now proof that hacks can work over large distances.
Researchers have shown that practically any modern vehicle could be vulnerable. In particular, two researchers, Charlie Miller and Chris Valasek, have been at the forefront of demonstrating security vulnerabilities of connected cars.
Better Security Required
The revelations that these and other researchers have made has not escaped the attention of the U.S. Senate. Two senators are introducing legislation to tackle the security issues of connected cars, known as the SPY Car Act of 2015. It requires the National Highway Traffic Safety Administration and the Federal Trade Commission to collaborate on the development and implementation of cybersecurity standards for vehicles. These measures will include:
- Standards for hacking protection and mitigation;
- A cyber dashboard, such as a label affixed to a car that details how it complies with the act’s cybersecurity and privacy requirements; and
- The development of privacy standards including those regulating the collection and use of data and limiting the use of driving data by automotive manufacturers.
It also imposes that any violation of the cybersecurity standards should be penalized by a fine of up to $5,000 per violation.
I Am The Cavalry, a group focused on how computer security impacts public safety and human life, made five recommendations for improving the security of connected cars. It suggested:
- Safer design to reduce attack points;
- Third-party testing;
- Internal monitoring systems;
- Segmented architecture to limit damage from hacking; and
- Internet-enabled security software similar to that used on PCs.
Helping Manufacturers Tackle Security Issues
Among the challenges that auto manufacturers face is that security must be considered for all parts of a connected car and throughout all stages of its life cycle, from the design phase to when the vehicle is on the road. At the same time, cars are increasingly complex and manufacturers face time-to-market constraints.
A security model called Design, Build, Drive can aid automakers in the process of ensuring their cars are secure. The design phase assists manufacturers in creating a secure vehicle and infrastructure, while the build phase focuses on controlling the production environment and creating a trusted supply chain. Finally, the drive phase is used to harden the vehicle, create a trusted maintenance ecosystem and enable new use models.
Currently, connected cars are being developed quicker than the corresponding cybersecurity measures and standards. This is an unsustainable situation as the number of such cars and their complexity is increasing rapidly, just as cybersecurity issues are growing in number and complexity.
Security must be built in and issues must be solved rapidly; retrograding security into existing models will not only be expensive, but also likely ineffective. The vulnerabilities are real, but the momentum to fix them may be too slow.