Increasing IoT features could open new doors to hackers

The future is in technology but its adoption means that automobiles are more complex than ever.
Telematics units have evolved to provide a multitude of connection points, including 4G, Bluetooth and USB. Consumers use those features to send and receive data from a growing number of products and services.
Visa has been experimenting with a service that would allow consumers to pay for fuel and parking directly from a car, effectively turning automobiles into mobile payment devices. Meanwhile, automakers have already developed smartphone apps that can remotely control certain parts of a vehicle, including the engine.
The feature list will continue to grow as long as consumers demand them. Consequently, automobiles may become more susceptible to cyber threats. How can the industry stay ahead of any and all potential vulnerabilities and prevent future attacks?
Richard Wallace, director of transportation systems analysis at the Center for Automotive Research, said that automakers should firewall the important ECUs that control braking, steering and acceleration.
“Protecting the whole data network on the vehicle, that is important as well, but not nearly as important as protecting those critical ECUs,” said Wallace.
Wallace said automakers must do whatever they can to improve vehicle resilience to cyber-attacks suggesting the formation of an industry-wide consortium to stay on top of (and respond to) any attacks that occur.
“A lot of other industries do that – insurance, banking and so forth – so they can have a quick response,” Wallace added. “Another critical thing is over-the-air update capability. That potentially introduces a weakness because you’ve got another over-the-air connectivity point but it also provides you with the pathway to fix, patch and repair known vulnerabilities.”
Two kinds of failure
Mike Zusman, founder and president of Carve Systems, said there are two areas where an overly complicated system can lead to failure: accidental and intentional.
“It isn’t always as apparent as you would think to the folks responsible for maintaining or managing that technology,” said Zusman, whose firm provides IT security consulting services. “We still see a lot of organisations that don’t know what services and applications they have exposed to the Internet. When you don’t know what’s exposed, you have a greater attack surface and generally there are a lot more things that can be attacked.”
Zusman believes that automakers can reduce their attack surface by turning off unnecessary functions. He said they should focus on building “simple, elegant solutions” that reduce the opportunity for failure and make it more difficult to attack the asset.
Unavoidable vulnerabilities
Connectivity has become an essential feature for many consumers while providing another gateway for malicious threat actors. There are concerns that hackers will use mobile devices to break into and take over automobiles but that may not be the easiest or weakest entry point.
“It’s not impossible but it’s extremely difficult,” said Anuja Sonalker, former vice-president of engineering at TowerSec. “It’s a mix of so many different technologies. Imagine multiple different layers, and all of those layers between your phone and your car have to stack up, and you have to be able to find the holes that align to get in. It’s a very complex vulnerability to exploit.”
Sonalker, who is now the co-founder of a new cybersecurity company, Sarti Systems, said that she is more concerned that hackers will use a car’s official app to break in.
“Some of the carmakers make apps where you can remotely turn on your engine from your phone,” said Sonalker. “You press a button, you unlock your doors.”
Those features aren’t problematic on their own but Sonalker said that automakers have created an app that provides legitimate entry into the car. She thinks that represents a much bigger risk than other possible vulnerabilities.
“All somebody has to do now is be able to hack that phone so that they can launch that app,” said Sonalker. “Once somebody can launch that app, everything else is just by design. Those apps have to be better tested. There’s a risk element here that you cannot deny.”
Preventing hacks
Syed Zaeem Hosain, chief technical officer of Aeris, an end-to-end M2M and IoT service provider, said that security is not just the act of preventing hacks.
“It’s also detecting when they occur,” said Hosain. “If you can detect it ahead of time and prevent it or take some action to avoid the scenarios, resolve the issues that take place quickly, [then] I don’t think it will be a problem.”
Hosain believes consumers are taking an “educated risk” in wanting features that increase complexity and could make it harder for automakers to secure their vehicles. He said that as long as automobiles are protected to the degree that’s expected, consumers will accept the risk.
“One car [being hacked] is not the issue,” said Hosain. “Yes, you can cause a problem and you may have an accident. I would only get worried if 50,000 cars or an entire city of cars got taken over. That’s unlikely. That’s the concern I would be worried about.”