By Stephen Morrow, SQS principal security consultant
Buoyed by today’s smart cities and the need for the world’s 1.2 billion motor vehicles to be able to navigate the world’s streets more safely, there has been a substantial rise of what is commonly referred to as the ‘connected car’. In fact, some 12% of all cars on the roads are predicted to be connected to the Internet by the end of the year. Internet-connected cars can enhance the driver's experience by providing driver-assistance apps, as well as information and a plethora of entertainment services.
Connected cars are already one of the biggest exponents of the Internet of Things (IoT) revolution. In fact, with smartphone penetration hitting a saturation point in many western countries, mobile-industry consultants Chetan Sharma revealed that in the US there are now more cars being added to mobile networks than actual mobile phone handsets in the first quarter this year.
A breach of public safety
While the market is firmly in fifth gear, the security that underpins connected car technology is still spluttering in second at best. There has already been a number of ‘stunt hacks’ such as a well-publicised one on Jeep last year where hackers took over the controls wirelessly and sent commands through the car’s entertainment system. This enabled access to its dashboard functions, steering, brakes, and transmission with the driver within unable to override them.
Until now, security and safety have been considered as two completely separate entities. Unlike the high profile breaches such as Home Depot and Sony that have been confined to legal ramification and a knock to consumer confidence, the potential breach of a connected car could lead to someone sustaining physical harm. This is – along with medical devices and critical infrastructure – the first time that computer security is intersecting with public safety, with serious ramifications.
A shift in focus
Automotive manufacturers have been focusing so much on adding functionality and usability that they haven’t been properly considering the threats. A shift in focus is needed. Manufacturers have to start placing security front and centre, and take the potential human safety impact much more seriously.
One of the things that automotive manufacturers seem to have been relying on is that physically getting hold of a car to deconstruct it and find the vulnerabilities is expensive, so bad guys haven’t yet been targeting them. While this may reduce the potential for curious teenage hackers, it certainly won’t prevent black-hat security researchers, organised crime syndicates or state sponsored attacks. However, even this is a short sighted view. Now, many of the systems being put into connected cars can be downloaded from the internet, so are accessible to all, including those with nefarious intentions.
A changing landscape
The information security landscape has changed. Back in the mid-90s, firewalls were all that was really needed to keep nasties out of your systems. That worked well until software became the target and the perimeter came down. Now the root problem is in the design and implementation at the software level, where the vulnerabilities typically manifest themselves from within the code when it is written.
A more proactive way of undertaking security in 2016 is to identify where the vulnerabilities are within the code and then recommend changes to remove the issue. This proactive approach means the vulnerability can be fixed before the product – whether it is a connected car, mobile phone or fridge – goes onto the market.
Source of the problem
While the attacks on connected cars have been limited to stunt hacks. It is no stretch of the imagination that criminals could use a similar technique to the Jeep hack to gain access and take control of a car innocently parked on your driveway. To minimise the risk, it is imperative that quality assurance and security is embedded across the development lifecycle, especially as requirements and architecture is being designed, to ensure that robust security protection is baked in from the very beginning.
While a potential bug in the code is generally an unintentional failing of the testing process that could be exploited at a later date, there are fears that it could be placed intentionally from within the supply chain. Because of a connected car using a number of relatively small components, there is great temptation for manufacturers to rely on open source libraries. However, this open source code – which by its very definition could be reused again and again – could have been written by anonymous coders (among a cast of 100 legitimate ones). These coders could be playing the long game by allowing bad guys in the future to infiltrate through a back door they may have placed into the system years before. It may sound a far sighted way to do it, but it unfortunately does happen.
Testing the system for security vulnerabilities can take on various forms. It could be by undertaking a port scan to see which ports are open, which services are running on them, and then looking for known vulnerabilities. It could be using fuzzing to find weaknesses, where coding errors and security loopholes are discovered by firing large amounts of random data at a system in an attempt to make it crash. Sometimes, though, it can be as straightforward as connecting to the car and sniffing the data in order to reverse engineer it to find flaws.
A constant battle
The truth is that security is an ongoing process. In the commercial space, we are all used to routinely patching our systems. This is because new vulnerabilities and new methods of attacks are always being developed and discovered. Yet, until now automotive manufacturers have been complacent in their attitude to security. It was, more often than not, a token gesture tacked on at the end – not taken seriously and baked-in from the start.
Security is not a complete solution and a system can never be truly 100% secure. However, by placing security alongside human safety when it comes to automotive manufacturing, there will need to be both an immediate risk reduction and a process in place. This means they can respond in the future if something happens. After all, the cost of testing is a drop in the ocean compared to the total cost of getting a new car to market - so it is a small price to pay for increased public safety.