Start-ups pose hacking threat to carmakers
Ransomware is high on the list of concerns for autonomous and connected vehicles but it’s not a problem manufacturers are dealing with presently. Some of them are, however, being exploited by unscrupulous cybersecurity start-ups that are looking to profit from automakers that are unwilling to cooperate.
“Some start-up cybersecurity shops are comprised of bad guys turned good guys, and they want to make a buck,” said Kaivan Karimi, senior vice-president and head of sales and marketing at BlackBerry Technology Solutions. “The moment an OEM says, ‘I don’t know you guys, I’m not going to give you a contract’, they threaten the OEMs that they’re going to hack them and go public with it.”
Karimi said he has spoken with automakers that have complained about these threats but he wouldn’t name names. He did, however, confirm that some carmakers were ultimately pressured into working with the threatening party. He added: “I know of companies that have actually got contracts like that. They are getting away with it because there is demand in automotive for security expertise and these guys are taking advantage of it.”
Not everyone has given in to their threats. Karimi said there are some manufacturers that simply would not deal with a company behaving in this manner. There are other automakers who have been more receptive because they are looking to thoroughly test their cybersecurity measures – even if it means working with less than savoury individuals. “I know a few OEMs who found the start-ups and said, ‘Hey, I’m going to pay you but come hack me and really test it – do the worst you can’,” said Karimi.
Securing the supply chain
Computers and smart devices are often at the mercy of the least-secure component. Automobiles could face similar challenges. Said Karimi: “About a third of all the hacks happening today, whether it’s for banks or hospitals, they’re not original hacks – they’re vulnerabilities and backdoors in the supply chain that. It gets exploited after the product starts shipping.”
Carmakers are comparatively new to cybersecurity, so they don’t have as much experience in dealing with these issues. Karimi said it wasn’t until the Jeep hack in 2015 that the auto industry, as a whole, began to comprehend the potential dangers.“In reality, you can look back at how easy it is to hack these cars,” Karimi explained. “If you’re a smartphone owner with Bluetooth, you at least have the means to hack the infotainment system in the car or through the key fob, depending on what it’s built of.”
Even the movie Fast 8, which featured a scene where several vehicles were weaponised remotely, is a hint of what might be possible. Karimi said the scene was exaggerated but is concerned about the future if cars are not properly secured.
He said: “At some point in time you will get there. When smart cities come in and all the end points are connected, theoretically it’s possible to coordinate all of that. Whether hackers do it or not, that’s a different story but it is very feasible for people to come up with threats and ask for a ransom. It’s something they can do in the background and collect money.” In order to secure the supply chain, Karimi said that components (such as processors) need to be authenticated from the beginning of their lifecycle all the way through to deployment and beyond.
Getting connected
Automobiles evaded the possibility of remote hacks for several generations simply because they weren’t connected to the Internet. Now that connectivity is coming into play, automakers will be forced to select a network to facilitate all of the Internet-enabled features, such as V2V and V2X functionality.
“I think the automotive industry is going to pick from a practical perspective,” said Karimi, referring to the various connectivity options.“Those decisions are not necessarily security-driven but they’ll choose one that will be more ubiquitous and add different security layers to protect it.”
Once a network is in place, electronics manufacturers will be in a rush to connect the car to as many devices as possible. From garage doors that open upon arrival to coffee makers that start up automatically when the car is headed home, these devices could offer another access point to malicious threat actors. Karimi isn’t too worried, however. He explained why: “I think don’t think these devices will be connecting directly to the car, they will go through a gateway. The car is a much more sophisticated device and it will have better security than a coffee maker.”
For the time being Karimi feels that carmakers are getting a “hall pass” because connectivity is still in its infancy. Fast-forward several years and it’s a whole other story. He warned: “If they don’t have their security story straight and they get caught, the brand is going to be damaged but they have woken up, they have taken it very seriously and they’re looking for the best solution that’s out there.”
[Tele.Bedigian.2018.01.17]
