Share this content

Connected cars: Why customer security must be a key consideration

28th Jul 2015
Share this content

The news that Chrysler is recalling 1.4 million vehicles over concerns that they can be remotely hacked via the internet will have set (car) alarms ringing in some quarters. 

Every day we hear of new developments in the Internet of Things (IoT) and it is exciting to imagine a world where we can control so much via our smartphones. But there could be an opposing viewpoint that we need to consider since we can easily get carried away with advancements in connected devices.

Someone recently stated that the development of IoT is equivalent to the Industrial Revolution and they might be right. Historians will tell you millions suffered during the Industrial Revolution, all in the name of progress. Are we now entering a similar phase? What I want to know is where does security sit in the development of IoT?

One example of the technological advancements we are witnessing is Volvo’s Apple Watch version of its On Call connected car platform. The platform originally provided safety and location services in case of accidents and breakdown, or even theft, but an update at the end of June will allow navigation information to be sent to the car from the watch. Other carmakers are working on similar apps which could mean that if you lose your Apple Watch, someone else will be controlling your car.

Some of the applications of IoT in vehicles include fleet management and control, location of stolen vehicles, pre-programming journey routes as well as emergency assistance in the case of accidents. But additionally we can soon expect location-based ads appearing on our dashboards, telling us where the nearest Starbucks is or offering us vouchers for nearby service stations. There is the real possibility of distraction whilst driving to be considered. A quick glance at people in any social situation tells you that your mobile device is the primary point of attention – so do we really need it whilst we’re driving? Companies are starting to manufacture heads-up displays on vehicles already - check out Navdy to see what I mean.

Safety campaigners are already voicing concerns about how many accidents will result from deploying these devices, however I am more worried about the hack that sends you down a blind alley, or starts collecting personal data. What will happen when devices like Vinli that plug into your car's OBD II port, which is a USB-like data interface, begin to gain traction? Your car and all its systems will be accessible via the internet. According to the company more than 1,000 developers are now building apps for this purpose. Hasn’t the security industry spent the last 10 years trying to lock down USB ports? I can imagine Vinli type devices being distributed as swag at trade shows just like USB keys. 

So we could view connected cars are like iPhones on wheels, making them susceptible to the same issues we face on a daily basis with computers. Additionally, cars are big hunks of metal which can cause serious damage when not in control. For example, BMW recently admitted that its ConnectedDrive platform had been hacked by researchers, who took control of the air conditioning and door locks. Could they have also controlled the brakes or engine management system? This has been proven, but not necessarily on a BMW. Seeing as Gartner predicts there will over 250 million connected cars on our roads by 2020, that makes for one heck of a big mobile botnet!

Who is looking after users and ensuring that systems can’t be exploited? Are car manufacturers conducting security audits on the source code of the systems and do they have an effective vulnerability assessment program set up? Are they implementing security assurance and oversight programs? Perhaps what is needed is a strong set of guidelines aimed directly at the vehicle industry, which would be a slow and difficult process. We know compliance only works when it has teeth, and is backed by regulation, serious fines or some other form of penalty, as otherwise it is just regarded as another cost of doing business. Tesla recently hired hackers whilst at DefCon, presumably to assist with security, as well as Tesla maintaining a public security researcher hall of fame.  Or maybe Volvo will become a leader as people often buy their first Volvo because of its reputation as a safe, family-oriented company. Many of the physical vehicle safety innovations were designed, developed and pioneered by Volvo. 

However, more often than not, businesses prioritise profits and only invest in safety innovation when coerced by governments, customer demand or peer pressure. Looking further ahead, what happens when driverless cars start to appear on the road? Serious trials are reportedly starting soon. So what about physical safety? The systems that control and coordinate the cars, which may be hosted in the cloud, are all prone to intrusion and failure. Also, can we trust carmakers to keep our data secure when even the US government isn’t capable of doing so? It does bring to mind that classic scene in the original Italian Job, when the mad Professor Peach replaces the magnetic tape on the mainframe computer to disrupt Turin’s traffic systems. The scriptwriters had a moment of brilliance, because they foresaw exactly what could happen when hackers attack interconnected transport systems. We can however gain some comic insight here - I can imagine a string of connected vehicles being hacked to block major junctions in a capital city somewhere, with law enforcement powerless to stop them.

Privacy campaigners are busy debating about how our most personal of information is being sold as a commodity and even Tim Cook of Apple has announced data privacy as a top priority. Your car could collect all kinds of data about you and all who travel in it. Soon it may be able to tell its stories, only not quite as we had ever expected. We already know that vehicles with internet connectivity are sending huge amounts of data to manufacturers, although thankfully they are not yet doing much with the information. But could there come a time when more money is made from the sale of private data as opposed to the sale of the vehicle itself? If that is the case then as an industry we need to change how we consider the security of connected vehicles, as we have seen it all before.

The industry has already started gearing up for this new marketplace, with the Los Angeles Auto Show launching the Connected Car Expo in 2013 and Google forming the Open Automotive Alliance in early 2014. Both ventures seek to utilise IoT technology in vehicles and to discuss the challenges faced in this evolving marketplace. The starting pistol has been fired!

All of this is, of course, speculation, but what we do know is that the Internet of Things is here to stay and connected cars are becoming commonplace on our roads. We will see innovation occur much faster than ever as the both fast networks and high-powered software become more widely available. The supporting hardware is already developed. I believe the security industry has both a responsibility as well as a huge opportunity in our midst. As usual, innovation will be left to an entrepreneur with a world-saving vision.

Richard Kirk is SVP, telecom and service provider sales at AlienVault.

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.