There’s no time to lose in locking hackers out of connected cars

“Your car is a giant computer – and it can be hacked,” blared the headline on CNN’s web site.
That feels like lurid, sensationalistic sound-bite; surely in this advanced day and age, connected car systems are fairly impervious to attack?
Except that they’re not. In a recent article that’s created a stir in the connected car world, Wired magazine engaged a pair of expert white hat hackers in an experiment to hack a Jeep Cherokee. One of these ‘hackers’ was Chris Valasek, with whom you can read what he had to tell TU-Automotive last year here.
As with many instances of fresh technology, the demands of the connected car have put an emphasis on functionality rather than security. Put another way, the market is moving quickly, and until recently security considerations seemed to be getting left behind.
Of course, car makers and enterprising telematics firms are spending some time and effort to lock up these systems. Argus Cyber Security, an Israeli-based connected car specialist, has software that features an algorithm that inspects all traffic flowing to a car’s network. In the company’s words, this watchdog “identifies abnormal transmissions and enables real-time response to threats.”
On paper, this is an effective way of dealing with what some commentators say is one of the top vulnerabilities of in-car systems – often, their main ring of protection is a firewall surrounding the network. Once this is breached, the vehicle can be open to attack.
The car makers, particularly in light of the Jeep hack, are taking steps to bolt down their systems from potential attackers. The question is whether these efforts are sufficient. In addition to their proprietary work on cyber-security, the 12 big auto makers that comprise the Alliance of Automobile Manufacturers have formed what they term the Information Sharing and Analysis Centre. The Alliance described ISAC as “a central hub for intelligence and analysis, providing timely sharing of cyber threat information and potential vulnerabilities in motor vehicle electronics or associated in-vehicle networks.”
That’s certainly a step in the right direction and, offering up this information for dissemination and analysis, can only help in the fight against hackers. But given that the roots of connected cars reach down several decades, it feels like a move that should have been made much sooner. Plus, any advancement made by such a body is likely to take some time to filter down into the actual systems used by the car makers and their suppliers.
So, to be charitable, vehicle cyber security has quite some distance to travel before the average connected car is reasonably secure. Following the revelations of the Jeep hack, which is being widely discussed within and outside of the car and e-security industries, we will almost certainly see greater measures being taken to address this issue.
Hackers like Valasek say that auto makers and connected car service providers need to take a layered approach to security. This means locking up every key aspect of the system’s functionality – its remote connectivity, its internal network, the reams of data it produces, to name but several aspects. Look for security solutions to be developed in every conceivable facet of the connected car.
It’s not only the high-profile hack orchestrated by Wired that’s making this matter urgent. In the very near future, the connected car will be the rule, not the exception, on our planet’s roads and that’s even before the driverless car starts taking over the motorway. Estimates from Forrester Research anticipate that the number of connected cars shipped throughout the world will climb from 2012’s 5.4M to 36M in 2018. That’s a nearly seven-fold increase over a mere six years.
It’s bright green light time for connected car security, then. Hopefully the manufacturers and the outside firms that specialise in the technology are stepping hard on the acceleration pedal; there’s little or no time to waste.
Catch up with all the latest in cybersecurity at TU-Automotive Cybersecurity USA 2016 March 29 and 30.