Unsecured at Any Speed: The Cyber Risks of the Connected Car
I have never seen anyone pull into a parking space, get out of their car and leave their laptop, wallet, iPhone, social security card, list of most important passwords and their banking information on the hood before walking away. But as the era of the connected car begins, that may essentially start happening every day.
The masterfully intuitive UI/UX and computing power of smart phones, among a host of other digital devices we use daily, has conditioned consumers to enjoy and demand equal levels of usability and convenience in all their devices. And where there is demand, supply follows. From refrigerators to washing machines to thermostats and electric meters, connected appliances are staking out an ever-larger part of their markets.
Each poses any number of cybersecurity risks and challenges—both for user privacy as well as their ability to be harnessed as bots in a DDoS attack. But the fact is, no hacker has ever sent a fridge hurtling down a street at 75 mph. And nobody ever hauls a washing machine out to sit unattended in a parking lot for hours.
While no other device shows the promise and possibility of digital technology’s power to drive practical and extraordinary innovation, the connected car also reveals the risks and challenges other industries face in achieving digital proficiency.
As much as it is an automobile, the connected car is equally an interconnected system of complex networks that can be broken down into three very different types of digital environments.
The first is the internal onboard network that operates the vehicle. It includes engine, transmission, and drive chain monitors, system gauges, fuel and safety systems, cameras and radar, and more.
The second, the external commercial networks, include consumer-facing entertainment systems, GPS and connectivity to other devices. Already, onboard emergency systems can detect an accident and contact emergency responders. Soon, cars will also be tied to financial information, allowing drivers to order everything from movies or fuel to fast food without requiring drivers to pull out their credit card.
Third is the extravehicular networks. Self-driving cars not only require sophisticated onboard systems. They must also interact with road and traffic control information, updates from transportation systems, and data from other cars. Seamlessly. In real time. While never losing a connection or clear signal, or experiencing a glitch within their own complex series of internal networks and operating systems.
The time to ensure this security is road ready was yesterday.
Even though connected cars are in their absolute infancy as a consumer product, the expanded attack surface they present is rapidly catching the attention of cybercriminals.
As far back as two years ago, Chrysler had to recall 1.4 million vehicles after a pair of hackers showed how they could override a Jeep’s digital systems from the Internet. They demonstrated how they could stall the vehicle on a crowded highway or cut its brakes, floor the acceleration or jerk the steering wheel at any moment.
From a security standpoint, protecting an array of very different systems networked together is extremely complicated. It calls for the development of a whole new range of partnerships across both the private and public sectors. Those partnerships must be forged now, because security is not something that can be effectively added as an aftermarket solution.
To provide suitable cyber protection, auto manufacturers need to design and deploy technology from several key understandings.
First and foremost is that security must be everywhere. Security systems need to span across communications standards, devices, and networks. They also need to extend visibility and control beyond a single vehicle to include the larger transportation ecosystem.
Security must be integrated as well. Connected cars require several different security solutions working as a single system. This includes connecting back to a cloud-based network to share and correlate events and receive security patches. The ability to receive these patches also requires real-time threat assessment and system updates. While this can be accomplished by the end customer applying fixes with a USB stick, or a trip to the dealership, those options widen the window of threat opportunity, increase risk and inconvenience (can you imagine having to haul your desktop into the shop every time it needs a security update?), and could quickly bring the legal liability of auto manufacturers into the digital era.
It may go without saying, but the security of the connected car must be powerful. The security weaknesses seen in many IoT devices must stop here. So add things like encryption to protect financial transactions, locations and the privacy of communications between driving and safety systems.
And all of this must be highly automated. Digital reactions need to be made instantly, automatically and autonomously based on a wide array of information. This will require the development of AI technologies that can make critical, instant analysis and interventions.
If connected cars are shared, onboard computing systems will have to automatically adjust to different cyber profiles, including credit card information, subscriptions to entertainment systems and preferred settings, as well as travel and destination histories. Whether this will be achieved through onboard data segmentation, or by tying an occupant’s cyber profile to a digital avatar remains to be seen.
In his famous 1965 best-seller, Unsafe at Any Speed: The Designed-In Dangers of the American Automobile, Ralph Nader accused the auto-industry of a resistance to safety features that harmed and killed tens of thousands of Americans every year. The book inspired passage of the National Traffic and Motor Vehicle Safety Act and seat belt laws in 49 states.
Whether we are at a similar point largely depends on how willing auto companies are to reach out and accept help, guidance and collaboration during this important transition to a new and exciting era. Hopefully, there will be no historic parallels as we harness the extraordinary digital innovation that drives us forward.
This byline originally appeared in Forbes.
Our white paper on “Understanding the IoT Explosion and Its Impact on Enterprise Security” provides more details on the security risks of IoT and what organizations can do to address them.