The Leading Edge of Cybersecurity: Three trends reshaping vehicle security
Cybersecurity continues to occupy much attention in the automotive world.
We are soon going to have millions of connected land, sea and air vehicles traveling the globe. Those vehicles, connected businesses and other users will all require and rely on direct, real time, wireless access to operational vehicle data in order to advance safety, drive productivity and operate responsibly.
In addition, as vehicle electrification and autonomy advance, direct data access will become increasingly more important. Much like this emerging technology, security issues are constantly evolving. In just 2018, three trends have gained traction in the security world that we should all be aware of.
TREND #1: FBI SAYS MOBILE PHONES ARE NOW THE #1 SOURCE OF VEHICLE CYBERATTACKS
“Automobiles are rolling connected networks, which are vulnerable to successful cyberattacks by individuals, devices, botnets and more,” FBI Special Agent Paul Schaaf said in his Cybersecurity and the Automobile Report, presented at the NASTF Spring General Meeting. “While other vehicle vulnerabilities still exist and need to be addressed, increasingly, the FBI finds more auto cyberattacks are being directed through mobile phones than other attack vectors — most of which haven’t gotten into the press or other media.”
Modern cars hold as much as 2.6 miles of connected wiring systems that communicate with homes, cell phones, vehicle repair facilities, insurance companies, and other vehicles. When drivers or passengers bring their connected phones into automobiles, the devices expose both the vehicle and the individuals. Hackers who penetrate a mobile phone can crawl the entire address books, scan lists of emails, copy SMS messages, and even look into web locations most recently visited online.
Typically stored as unsecured plain text, hackers can leverage that vector to connect to other vehicle systems, dealerships, service repair facilities, and even reach as far as an automaker’s internal business systems to create extortion and/or ransomware opportunities. Yet most of us don’t think twice about having our phone on and connected to our vehicle.
Schaaf also lamented the insufficient efforts of automakers regarding security.
“This report should serve as a red flag for the auto industry and its consumers,” Schaaf said. “Most auto manufacturers are still not taking security seriously enough. Vehicles are getting smarter every year, but their exponentially increasing computational power isn’t being backed up by good IT and security practices from the OEMs. Some might ‘penentrate-test’ some vehicle subsystems for intrusions, none ever do that for the entire vehicle. This needs to change if future drivers are to be totally secure on the road.
TREND #2: SECURITY INTO AND OUT OF VEHICLE IS CRITICAL
Craig Smith is the Research Director of Transportation Security for Rapid 7, a leading automotive cybersecurity firm that offers penetration testing and other services. He began as a “white hat” hacker, just messing around with vehicles, which led him to his mainstream career.
“Both connected and semi-autonomous vehicles need the Cloud to manage the volume and variety of data that must be shared, processed and reacted to in real time,” Smith said. “But from a hacker’s perspective, the Cloud is really easy to mess with.”
In May 2018, these shortcomings took a serious turn for the better with the formation of the Neutral Vehicle Working Group (NVWG). The NWDG is an international, multidisciplinary group of technical, industry and policy experts in the areas of telematics technology, engine diagnostics, cyber security, large-scale data storage, data analytics, data privacy and data usage rights. It reaches out to and interacts with leading experts and stakeholder representatives throughout the global transportation ecosystem.
Smith explained the group is based on five pillars:
– Neutrality facilitates a higher degree of interoperability subject to governance by oversight of users and stakeholders.
– The group assumes software code is public or readily viewable. To secure data transfer, cryptographic standards, digitally signed updates, authentication keys and other measures are necessary.
– Using a common set of APIs and vehicle data improves interoperability between different hardware and software providers. It also encourages innovation.
– Vehicles are trending to becoming encrypted repositories that store and forward data within a governed and anonymized Cloud environment. In layman’s terms, in the past, a mind shift is underway: Where we once had been concerned about securing data itself, instead, we must work toward securing the actual exchange and sharing of data.
– The NVWG is compliant with new, more stringent European Union’s General Data Protection Regulation, which went into effect May 28, 2018. Essentially, legislation lets customers decide what data they will share and non-compliant firms could face millions of dollars/euros in fines. (You may have recently received personal emails already to this effect.)
The future of mobility will be determined by the decisions industry stakeholders are beginning to make now about how data generated from vehicles will be accessible, who gets to use it, and who gets to control access to it. Access to and interaction with the high volume and variety of data will require a data ecosystem that is open, neutral and secure. Efforts to establish the Extended Vehicle Concept or its aftermarket alternative, the Secure Vehicle Gateways, are just a small part of the broader discussion now underway.
TREND #3: AUTHENTICATED DIAGNOSTICS IS IN YOUR FUTURE
“Fiat Chrysler and other automakers are securing their vehicles with active security gateways,” said David Sequino, co-founder of Integrity Security Services. “They have also retained our firm to develop a prototype model by October 2018 that would implement authenticated diagnostics — a movement within the automobile industry toward securing and authenticating every connected device and bona fide user in the automotive, and eventually, transportation ecosystems.”
“There can be more than 300 million lines of software code in automated cars,” Sequino said. “Finding a faulty line of code is worse that trying to find a needle in a haystack. It’s more like trying to find an atom in a haystack. Every single line of code needs to be validated for safety-critical vehicle systems. But today’s reality is there’s more future technology in vehicle than preparation, yet the need for system integrity is directly proportional to the degree of the vehicle’s autonomy.”
Integrity Security Services is the largest embedded security company in the world. It has been heavily involved in the aerospace industry — notably safety-critical military and civilian applications — and has recently turned its attention to the auto industry.
“Our mission is to provide a simple, straight forward service for independent operators and tool providers to securely service vehicles,” Sequino said. “Between now and this October, we need to know, understand and integrate the various use cases.”