Telematics and data security

Telematics and data security

It could start with a single virus-infected CD. You play it on your car stereo, and the next thing you know is your car will go no faster than 2 mph. 

Now imagine the virus using your address book and cellular connection to spread to other cars, and then those cars to infect yet more cars. 

“Within 10 weeks, you could hit every car with a cell phone connection in the United States and bring transportation to a halt,” says Scott McCormick, president of the Connected Vehicle Trade Association, citing a 2011 University of California, San Diego, and University of Washington study that showed how malware on a CD could infect a vehicle. 

Though the automotive industry has yet to come face to face with a security breach of this magnitude, or any sizeable security breach, for that matter, the possibility of it happening has everyone on edge, particularly as telematics grows in complexity, connections to infrastructure/vehicles (V2X) and brought-in devices multiply, and in-car app environments open up. “A car has to work all the time, in all conditions.” McCormick says. 

Already, car thieves are using sophisticated key programmers and immobilizer overrides to steal cars. According to a recent report by SBD, the automotive technology consultancy, the “speed with which these devices perform their attacks on the embedded software, via the OBD port, has transformed electronic theft from a minority method to, in some markets, the dominant method used by thieves to steal the most targeted models.” 

But strong progress is being made in automotive security as well, particularly when it comes to areas of privacy and security of vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications. “Questions about security and privacy come up very early,” says Andre Weimerskirch, president & CEO of EScrypt, an embedded security provider. “Proper mechanisms will be key to success.”

Many of those mechanisms are already in place. 

For example, both Weimerskirsch and McCormick feel confident about the security of V2I communication links in the United States. “That’s been done,” McCormick says.

The systems use public-key infrastructure (PKI) to create, manage, store, distribute and revoke digital certificates while public-key cryptography encrypts data and authenticates senders. 

The U.S. Department of Transportation is providing funding and the Crash Avoidance Metrics Partnership (CAMP) continues to refine and update the designs, with particular view to the ongoing Ann Arbor Safety Pilot. Continued experimentation and development are now focused on securing hardware within the vehicle and on finding the balance between access to data generated by V2V/V2I communications and ensuring the security and privacy of the system.

(For more on the Ann Arbor Safety Pilot, see Ann Arbor and the future of V2V/V2I, part I and Ann Arbor and the future of V2V/V2I, part II.)

Inside the vehicle

Smartphones are currently frequent conduits for in-vehicle connectivity, and if this continues to be the case, “there are certainly applications that require securing [these] interfaces and data,” Weimerskirsch notes. 

Because they do not control them, carmakers will assume that the smartphone or other connecting devices are not trustworthy and potentially malicious, he believes. Therefore, “the automotive portion needs to be properly protected by the carmaker.” 

Further complicating this is the fact that these situations are OEM- and application-specific and solutions are likely to be kept proprietary as they’re developed.

But Weimerskirsch is quick to add that V2V safety applications, which are the current focus, at least in the United States, do not require smartphones or financial data, so these sorts of security concerns are not a factor for the development of this technology. 

What’s more a factor is protecting the vehicle’s electronic safety control system from malicious attacks as more and more data passes through the car, explains McCormick. The infected CD paralyzing a car is a case in point. 

However, while the idea of it happening is scary, it’s also relatively easy to fix. The electronic safety control system (antilock brakes, road-condition sensors and the like) works from the CAN bus, which is unique to each vehicle model. “It’s security by obscurity,” McCormick says. “Those are closed systems.” 

The key, then, is keeping infotainment systems and CAN bus vehicle controls closed and separate from one another. This matter is currently a top priority within the automotive community because it’s essential to moving forward with new vehicle capabilities, McCormick explains. 

In addition to programs being developed by OEMs, such as the four-digit PIN lockout for the infotainment system available on some GM models, there’s also a federal research program focused on strengthening vehicle safety control systems’ protection from cyber threats.

Managing and protecting data (and drivers)

However, even as experts argue that the best way to secure the car is through keeping its systems closed, the public and app developers demand more options and more connectivity within the vehicle, which requires some degree of openness. 

Not all potential new apps are V2V/V2I-related, but the security and safety challenges they represent certainly apply to the realm, particularly looking into the future where V2V/V2I systems might take control of the vehicle in some situations.

Ford and GM have recently decided to make their APIs available to third-party developers, and McCormick sees this as a problem. Countless viruses and malware are created for smartphones each year, but the vast majority are handled and captured by the network’s servers, he explains. “In a car you don’t have server-side security.” 

In other words, there’s nothing to protect you from the information that comes in via the infotainment system. 

Nevertheless, there’s still time to develop needed security features right along with these enhanced vehicle functions. What will also be essential is laws making data exploitation a crime. “You can’t protect all the data,” McCormick says. “But you can punish those who do bad things with it. This is against international law. It’s theft.”

(For more on V2V/V2I security, see Telematics: Making V2X back-end infrastructure secure.)

Future progress

McCormick acknowledges that there will likely be both collaborative and individual advances as OEMs work to improve in-vehicle security for their unique models and brands, and he believes the most useful collaboration would be “not just a bunch of car guys.” 

OEMs are not known for their ability to work together, but it happened before, such as when Mercedes developed and then shared their technology for the air bag. “We need something like that here,” he continues.

CAMP’s work will certainly be shared with participating automakers, and perhaps with others as well since it’s received federal funding, McCormick notes. And he believes organizations like GENIVI will address security within their areas of focus. 

“Hopefully, exposure of this area will allow other industries with expertise to weigh in and provide additional support for the solutions,” he says.

Jessica Royer Ocken is a regular contributor to TU.

For all the latest telematics trends, check out Content & Apps for Automotive Europe 2013 on June 18-19 in Munich, V2V & V2I for Auto Safety USA 2013 on July 9-10 in Novi, MI, Insurance Telematics USA 2013 on September 4-5 in Chicago,Telematics Russia 2013 in September in Moscow, Telematics LATAM 2013 in September in Sao Paulo, Brazil, Telematics Japan 2013 on October 8-10 in Tokyo and Telematics Munich 2013 on November 11-12.

For exclusive telematics business analysis and insight, check out TU’s reports: Telematics Connectivity Strategies Report 2013The Automotive HMI Report 2013Insurance Telematics Report 2013 and Fleet & Asset Management Report 2012.

Leave a comment

Your email address will not be published. Required fields are marked *