As the Internet of Things (IoT) revolutionizes the way consumers interact with hardware in their daily lives, security has come to the forefront—with connected cars at the vanguard of the conversation.
By 2020, there will be nearly 21 billion devices connected to the Internet, including smart refrigerators, water meters and even binoculars, according to the IDC (News - Alert). But online vehicles might be the first transformative wave that consumers experience. In fact, up to 22 percent of passenger vehicles worldwide are expected to be connected to the Internet by 2020, according to IDC, with that percentage in developed economies like North America ticking much higher.
Given the safety concerns associated with hurtling along the interstate at 65 MPH, it is, of course, in everyone’s best interests that cyber-defenses and best coding practices are part of the vehicle’s design from inception to assembly line.
“Manufacturers cannot afford to be complacent when it comes to application and overall system security within vehicles,” said Duncan Brown, research director, European Security Practice, IDC.
A History of Hacks
Unfortunately, so far, the driving record, so to speak, has not been great. Just last month, it was revealed that completely unauthenticated APIs for the mobile app that goes with the Nissan LEAF can open the door for hackers to remotely control the world’s best-selling electric vehicle.
In a stunning oversight in connected car security, security researchers Troy Hunt and Scott Helme found that an attacker with access to a vehicle’s VIN number (something that’s visible in the windshield of every Nissan LEAF) can control the climate control and other features of someone else’s car, literally from the other end of the earth. They can also check the battery status, and access a person’s driving history—including locations and times, which is of course a potential privacy nightmare.
The ramifications are clear. “Fortunately, the Nissan LEAF doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered,” said Helme. “Still, a malicious actor could cause a great deal of problems for owners of the Nissan LEAF.”
Worryingly, it’s been shown that hackers, if they’re enterprising enough, are indeed able to remotely control more dangerous aspects of a connected car. Last fall, U.S. auto giant Chrysler recalled 1.4 million cars (the 2015 model of the Dodge Ram pickup, Dodge’s Challenger and Viper, and the Jeep Cherokee and Grand Cherokee SUVs) after researchers demonstrated that the connected Jeep Cherokee could be hacked via the car’s internal 4G connection.
Security researchers Charlie Miller and Chris Valasek demonstrated – with an unsuspecting journalist driving 70mph on the freeway – that they could take over a car’s air-conditioning, in-dash system and windshield wipers remotely. Miller and Valasek also said that they could take control of the vehicle’s brakes and steering, and, yes, remotely lock and unlock the car.
Sixteen major automobile manufacturers responded to questions from Sen. Edward J. Markey (D-Mass.) in 2014 about how vehicles may be vulnerable to hackers, and how driver information is collected and protected. The results were not positive: The lawmaker’s report shows a vehicle fleet that has fully adopted wireless technologies like Bluetooth and even wireless internet access, without addressing the real possibilities of hacker infiltration into vehicle systems. Also, there is overwhelming potential for the widespread collection of driver and vehicle information, since few automakers have implemented privacy protections for how that information is shared and used.
Car companies are unfortunately not cyber-security specialists—and the situation points out the growing pains that are likely to continue as online, virtual dimensions intrude on slow-moving manufacturing and design businesses that have always just been about the hardware.
“The situation with the Nissan LEAF and the demonstration of how easy it is to decipher the communication between the car and the back-end is yet another demonstration on how security frequently becomes an afterthought for companies not accustomed with the broader issues surrounding the Internet of Things, or IoT,” said Reiner Kappenberger, global product manager for HPE Security – Data Security, via email. “It is not uncommon that companies put their traditional security measures, normally deployed for their normal infrastructure, in place when creating an IoT solution and thus focus on areas like network and event logging and monitoring for their data centers. However with the explosion of new IoT environments, this is just another demonstration that this is not enough.”
First Gear for Car Security
What manufacturers and developers of IoT devices need to consider is that it is not only the protocol they use but also the authentication and authorization to these services. Clearly the Nissan LEAF attack shows that neither of these were present but they could be fixed easily with a software update. It also demonstrates that the communication between the mobile device and the back end was not encrypted.
“Most people, when using a mobile app to do their finances, would not connect to their bank if they do not see a green bar showing proper SSL protection, yet have no visibility into the fact that the mobile application that they are using does not encrypt their data at all,” Kappenberger said.
And indeed, research from Veracode has revealed that automotive manufacturers on average have a security lag of up to three years before systems catch up with cyber-threats. It also shows that car-makers do not feel they need to worry about driver data privacy.
However—and it’s a big however—consumers are waking up to the dangers, which may force manufacturers’ hands when it comes to correcting that lag.
Veracode found for instance that half of British drivers (49 percent) are concerned about the safety of the connected car. Respondents also believe that manufacturers should be liable for the cyber-safety of the connected car: 87 percent of drivers polled believe all aspects of safety – including resiliency of applications to cyberattacks – rests with manufacturers, regardless of whether an in-car application was developed by a software company or the car manufacturers themselves.
Also, 46 percent of drivers are concerned about privacy, particularly as navigation systems evolve to do things like find, reserve and pay for parking automatically. Here, the potential for leaking credit card information and other personal data is clear.
“What we’re seeing happen in the auto industry is a microcosm of what’s happening in financial services, healthcare and virtually every other sector – applications are not created with security in mind, creating a major area of risk,” said Chris Wysopal, CTO, Veracode. “Exposing a car to the Internet makes it vulnerable to cyberattack due to poorly written software, which could render the car unstable or dangerous. Building a secure application development program is a significant challenge for manufacturers, which is compounded by the need to do so under the microscope of government regulated safety standards and liability concerns.”
Applications Crash-Test: A Rising Threat Vector
Unfortunately, the security implications in the connected car ecosystem don’t just impact vehicle and component manufacturers. Eyeing a big applications opportunity, independent software vendors (ISVs), are racing to keep up with driver demand too, opening a new front in the cyber-battleground.
Case in point: as the ability for drivers to download applications to navigate, park, communicate, conserve fuel, self-park or do other things gives hackers a way to penetrate the car’s network, or, worse, control critical aspects of the user experience that can lead to driver distraction or even loss of control. And as mentioned before, there are escalating privacy and financial data protection concerns too.
Also, Veracode respondents from Fiat-Chrysler, Seat, Scania, Delphi (News - Alert) and German industry body ADAC all agreed that driver-downloaded applications pose concerns around the security of critical systems being exposed to applications they did not develop. This creates situations where the safety of the vehicle would ‘leave the control of the manufacturer’.
“The developers have the best intentions and do a terrific job creating those applications,” Kappenberger said. “However they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated. Making sure that security is a first class citizen during the design and development phase of those applications is more critical in the IoT space than ever before. While today’s security best practices focus on the security of the data, with IoT we now must consider the implications to physical security of infrastructure and of people, as we see in the connected car.”
Half of drivers in the Veracode survey are concerned about the security of driver-aid applications, such as adaptive cruise control, self-parking and collision avoidance systems, reflecting an equal level of concern with the safety of the entire vehicle. But this isn’t likely to affect the market very much.
“The positive implication from our research is that the market for downloadable applications is large, spanning the entire market of drivers of all ages and genders,” Brown said. “Manufacturers should increase their focus on how to secure applications that enhance car functionality, such as the many driving aids currently being developed.”
Rolling with Solutions
The state of connected car security may leave much to be desired today, but there are bright horizons ahead. For instance, trusted platform module (TPM)-based solutions are expected to play a key role in securing vehicle-to-cloud (V2X) applications and systems.
TPM is an international standard for secure cryptoprocessors, which are dedicated microprocessors designed to secure hardware by integrating cryptographic keys into devices. Infineon, which is ranked as a world leading supplier of automotive semiconductors, has for instance debuted a solution for embedded security in connected cars based on its OPTIGA TPM.
A combination of ease of use in system design and implementation paired with the robust nature of hardware-based security is increasingly recognized as essential to the success of IoT deployments as well. One result of this is that researchers at IHS (News - Alert) Technology forecast that the use of embedded secure microcontroller units (MCUs) in all IoT applications will grow at a compound annual rate of 30 percent between 2014 and 2020, reaching shipments of more than 480 million units.
MCUs use symmetric cryptography to provide secure communications; offer authentication and anti-cloning to protect manufacturers and consumers from spurious after-market and counterfeit accessories, disposables and replacement parts; offer IP protection that prevents malicious and dangerous code from being inserted into car algorithms and apps; and offer tamper protection help to seal customer applications and protect devices against retrieving and modifying systems and information.
As these small steps continue, it’s important to remember that it’s not just cars that should be of concern when it comes to the burgeoning IoT ecosystem.
“The ability of smart cars to put us at risk is just a small part of the larger trend towards everything in our lives becoming computer controlled and networked,” Lance Cottrell, chief scientist at Ntrepid, commented via email. “Some of these have the ability to violate our privacy, while others have the possibility of harming us physically or damaging critical infrastructure. Automakers, like most other companies involved in the Internet of Things, are primarily focused on ‘cool’ capabilities with security being an afterthought at best.”