Should we be concerned about cyber-security for our cars? The short answer is yes. However, there’s a difference between concern and panic. Here’s why.
The leading web and technology companies have been tackling cyber security issues for many years, and still fall victim to hackers. As cars become increasingly connected, remote hacking attacks become an increasingly bigger (and more realistic) threat. Keep in mind, cyber attacks on cars probably won’t become as common as PC attacks, as hacking a car is difficult to do, difficult to scale, and the financial incentive is limited.
In most large companies, security awareness doesn’t always equate with security best practices. My experience with many Fortune 500 companies has shown that organizations typically evolve through discrete stages of cyber security maturity. First, they typically go through a “panic scramble” stage, which leads them to buy tools and appoint security leads to start “bolting on” security.
This invariably leads to a “pit of despair,” where the sheer number of vulnerabilities, the complexity of tools, the predominance of positives, the lack of training, and waning executive support results in a decline in security prioritization. Finally, these organizations begin to adopt security as an integral part of their entire process, rather than as an add-on, which lets them more effectively use tools, develop processes, and train people to move along the cyber security maturity curve.
There are teams within the automotive supply chain that have been concerned with cyber security for some time, while other groups have hardly begun. But I don’t believe any OEM or Tier 1 automaker has fully embraced security throughout its entire organization.
Security is a cost that doesn’t help enhance a product’s demand (or selling price, for that matter). As a result, companies must balance security and profitability. Automakers and their subcontractors typically operate with very thin margins, which makes spending on security even more difficult. Without mandatory security standards, there will be cases where someone in the supply chain cuts back on security due to costs. These “minor” cutbacks, can potentially lead to injury or loss of life down the line. Government-issued standards are most likely the only way to ensure that security is adopted throughout the automotive supply chain. However, it’s inevitable that these standards will result in increased costs to consumers.
The lack of security implementation throughout the automotive enterprises coupled with the lack of security standards has led to increased vulnerabilities in today’s connected car. There are many entry points for a hacker, including Wi-Fi, Bluetooth-enabled sensors, 3G/4G connections, NFC/RFID entry systems, DSRC-based V2X, OBD-II, and so on.
The On Board Diagnostic (OBD-II) port is extremely vulnerable to breaches for two reasons. First, it has direct access to the CAN bus. Second, it’s directly interfaced through various third-party dongles with Bluetooth to mobile phone connections. Often, these third-party dongles, which are used for Usage Based Insurance, Driver Monitoring, or Engine Performance Enhancers, aren’t designed with security in mind and can allow hackers direct access to the CAN bus and thus, by definition, the entire vehicle.
The Controller Area Network (CAN) bus, which connects most electronic control units (ECUs) in a car, is old technology with limited bandwidth. Until recently, most data sent over the CAN bus wasn’t encrypted, leaving cars vulnerable and defenseless against attackers. Now, carmakers are beginning to adopt encryption protocols to protect CAN communications. However, CAN is such a low-level protocol that it doesn’t have any of it’s own security features, but assumes that all the security and message authentication happens in the applications themselves.
So, there are many reasons why we should be concerned about cyber security in cars. In fact, showing signs of concern is a mature reaction that indicates an appreciation of the vulnerabilities of connected vehicles. It’s a precursor to implementing best practices and managing the risks. A healthy dose of fear is never a bad thing, as it keeps you on your toes and more aware of potential attacks. That said, there’s no reason to panic. Quite simply, the connected car is an inevitable paradigm shift towards a better automotive experience.
For the past two years, Gene Carter has been the Director of Product Management for the Embedded Security Business Unit at Security Innovation. Carter has spent the past 20 years in embedded and automotive product management roles for NXP Semiconductors, Philips Semiconductors, and Coto Technology. He holds an MBA from the University of Southern California’s Marshall School of Business and a BSc in Electrical Engineering from Tufts University.