Connected Cars Create New Security Challenges

Connected cars are essentially computer networks on wheels. The dashboard is now the control center for telecommunications, web surfing, car diagnostics, navigation, and a host of other functions. The rolling computer network monitors the car’s systems using built-in sensors to make sure everything is running properly. A wireless connection can also be used to send telemetry to the telematics service provider or the manufacturer to facilitate service and update software. Once a vehicle is connected to the internet it becomes susceptible to hacking.


Car hacking is the latest in a long series of consumer security threats and has been getting a lot of attention in the news. Major carmakers including BMW, Mercedes-Benz, General Motors, and Tesla have already had to address car hacking threats. Clearly, automotive hacking is posing a safety concern. And as consumers demand more from their connected cars, it will likely mean hacker attacks will target personal data and private information as well.

What Are the Primary Motivators for Hackers?

Hacking has a life cycle like almost everything else in the world. The initial wave of hacking is based on an inherent desire to ‘see what is possible’. This is both the cause of great innovation and the beginning of the opening of a Pandora’s Box. Once something is known to be ‘possible’ there is a natural attraction to the hacker communities, who are seeking some level of self-gain. In the automotive arena, there are currently two or three use cases where a hacker may be motivated to take advantage of vulnerable vehicles. 

We believe these can be summarized into three categories:

  • Phishing Attacks - Hackers take a long-term view of gaining an economic return for their efforts. The point of phishing is to ‘learn something of value’ about a person or a group of people. They are casting a very wide net.

  • One to One Attacks - Let's face it, some people are more interesting than others and hackers are going to go after high-profile opportunities. Sometimes this is just to make a name for themselves and other times it is to target an enemy of their cause.

  • Mass Attacks - What motivates the hacker is to make a big splash and hacking a mass number of vehicles would generate a lot of buzz in the media. We can all imagine the economic impact of waking up one morning and finding that an entire set of vehicles can’t start due to a hacking incident, or worse, that there has been a rash of accidents caused by hackers remotely interfering with cars while they are been driven.

While we think the chances of a major event remain remote at this time, we cannot continue to believe that vehicles are ‘islands’ protected from foreign elements by their disconnected nature.

Manufacturers Need to Be Proactive about Hacking

Over the last year, the high-profile car-hacking events in the news have dramatized the vulnerability of the connected car. 

Using simple wireless communications systems, hackers have demonstrated that no connected car network is safe:

  • BMW was one of the first to report a hacking incident. To dramatize the vulnerability of the new connected cars, the Allgemeiner Deutscher Automobil-Club (ADAC), the German automobile club, was able to reverse-engineer the telematics software that controls BMW’s Connected Drive system, which is installed in more than 2.2 million vehicles. Exploiting security weaknesses in the software, ADAC was able to access the air conditioning system, traffic information system, and the door lock controls using a wireless computer.

  • Chrysler suffered a similar embarrassment when two hackers were able to shut down a Jeep by remote control. In a profile published in Wired magazine, the hackers were able to take control of a Jeep Cherokee traveling at highway speed, first operating the windshield wipers, taking over the radio, and ultimately shutting down the vehicle altogether by locking the transmission.

  • Tesla was also the victim of a cyber attack. Two mobile security experts demonstrated their ability to hack a Tesla Model S at the Dev Con hacker conference in Las Vegas. In order to hack the Tesla, they first had to gain physical access to the vehicle’s network infrastructure to introduce a Trojan. Once the virus was inserted, the hackers were able to convince the car that their laptop was the car’s controller, allowing them to take command, including the ability to shut off the engine.

While all these hacking incidents demonstrate the vulnerability of the connected car, how these carmakers dealt with the problem demonstrated manufacturers’ preparedness to deal with hackers. Chrysler’s approach was the old school ‘sneaker net’ approach, essentially shipping USB drives with a software patch to 1.4 million car owners. BMW’s solution was more elegant; they were able to develop a patch and then send it wirelessly to all affected cars so the software update was automatic. Tesla had the most sophisticated solution. The company already sends regular software updates wirelessly to all its vehicles, so the software patch to fix the security bug was ready for delivery.

What this demonstrates is that with connected car advances, OEMs need to be prepared to address security problems before they occur. Patching faulty software is one thing, but OEMs need proactive security measures to protect vehicles, such as firewalls and data encryption to protect vehicle telematics.

One of the interesting thoughts that arise out of this discussion is what role the consumer should play in security management for their vehicle. In the computing space, consumers play a fairly active role. Will they necessarily play a similar role in the vehicle? Do OEM’s want consumer consent and participation in applying updates?

Personal Security Part of the Connected Car Risk

Security to promote driving safety is a primary consideration. However, manufacturers are also going to have to start thinking about securing personal data as well.

As cars increasingly become an extension of today’s connected lifestyle, car owners will start storing sensitive data in their car systems to handle music downloads, toll payments, and other transactions. Credit card information and identify theft are attractive targets for hackers and something automakers need to consider.

For example, a hacker could set up a wireless sensor to access credit card data stored in cars driving past a given location on the highway. Hackers wouldn’t even have to go looking for targets; the data drives right past their door. Or what about hacking navigational data? If you can match a car’s GPS location to a known home address, then a housebreaker can tell when you are away from home.

To address these security concerns, Senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) have introduced the Security and Privacy in Your Car Act, also known as the SPY Car Act. The legislation would establish a rating system for consumers to rank how well cars protect security and privacy. The senators’ proposal also asks the National Highway Traffic Safety Administration (NHTSA) to establish new standard of protection. These standards would require OEMs isolate software systems and take steps to secure connected vehicles. They also want to require technology that would detect, record, and stop hacking attempts in real time.

Smart OEMs are becoming proactively involved in connected car security. By being proactive and taking positive steps today, manufacturers can become part of the security solution and help shape industry standards and legislation. They also can be ready to reassure customers that the next generation of connected cars is safe and secure.

Share or Bookmark this post…
  • Facebook
  • Google
  • LinkedIn
  • TwitThis

Auto Security: Do Feds Have Our Back?

Consumers should be aware of the possibility of a hacker attack on their cars. We now know that what used to be considered a movie scenario — remote hacking — could be done.

The current reality is that, while a variety of connectivity technologies have been transfused into cars, the equal and opposite security measures are yet to be deployed.

Surely, car hacking is the last thing automakers want to mention as they push the connected cars into the vast consumer disconnect. But government watchdogs in both the U.S. and the U.K. are working to get ahead of the curve and let the public know that they are concerned.

"Whether we're turning vehicles into WiFi-connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks," said Martin Callanan, a minister in the Department for Transport at the British government.

He said this last week when the U.K. agency issued new guidelines, requiring manufacturers of Internet-connected vehicles to put in place tougher cyber protections to ensure a stronger shield against hackers.

It isn’t just the U.K. The National Highway Traffic Safety Administration (NHTSA) in the United States also issued last fall the federal guidance to the automotive industry for improving motor vehicle cybersecurity.

Questions to ask
So should we all sleep well, confident that the feds have our back?

Not so fast, Gracie.

Questions that come to my mind include:
1. Do the guidelines issued by NHTSA and British Department of Transportation have any teeth for security enforcement? 
2. More important, have they gone far enough to suggest effective cybersecurity measures for cars?
3. What are the differences in the proposals of the two separate governments?

As Roger Lanctot, director automotive connected mobility in the global automotive practice at Strategy Analytics, told us, “All of the work and guidance today is advisory vs. compulsory in nature.” Things will become real, in his opinion, “when financial and liability consequences are in fact defined.”

Sources of vulnerability in connected cars are many. Lanctot listed: “diagnostic ports, hobbyist/enthusiasts, dealers, suppliers/supply chain, criminals and terrorists to say nothing of incompetence, bugs, and the management of multiple onboard systems crossing domains with different development standards.”

Facing so many areas inside cars that must be protected as cars morph into always-on computing devices, it isn’t easy to come up with comprehensive guidelines. And yet, “Regulators need to demonstrate they are doing something,” said Lanctot.

How do security experts see the development of government guidelines?

Gene Carter, vice president of products at OnBoard Security, for example, believes that “both the U.K. and NHTSA guidance documents included basic security tenets.”

He explained such measures should be followed by any company connecting hardware or software to the web — including security by design, defense in depth, principles of least privilege, etc.  In Carter’s opinion, however, these are basics. “I would hope that the automakers have learned enough from the IT world’s experiences, and they [should be] already doing those essential things.”

A few experts, including Carter, pointed out that the U.K.’s guidance does not go far enough in the area of software updates after a vulnerability is discovered.

Share or Bookmark this post…
  • Facebook
  • Google
  • LinkedIn
  • TwitThis