We are often lectured not to talk or text while driving, yet increasingly, our cars are doing it all the time. The connected car is finally here, and it is the ultimate distracted driver.
While getting you from A to B, it is also monitoring its own tyre pressure and adjusting its suspension accordingly. It is ready to call the emergency services for you if you get into a crash, and let them know where you are. It’s downloading information via the internet, allowing you to unlock it with your phone, and preparing to drive itself.
The connected car is a platform for the delivery of many other services, all which can boost revenues for auto vendors and their partners. Value-added car servicing (having your car book its own air filter replacement, say), direct application integration with cars, and even entirely new financing models will become possible. “New business models could see you get the car at a reduced rate and then pay as you drive, on a per-mile basis,” predicted Gavin Kenny, an associate partner for IBM Security.
Another example could be insurance, he said. “Aviva already has mobile phone apps using sensors built into the phone. This could easily extend into car, enabling the insurance firm to charge you based on your style of driving.”
No wonder the market is jumping at the connected car concept. According to Juniper Research, these vehicles will represent a fifth of the automotive market by 2019. Revenues from automotive telematics-related services will also jump to $20bn by 2018, the company said.
None of this is without its dangers, though. One of the key challenges of any car is that sub-systems are developed independently by different suppliers, and there is no integrated hierarchy, no single electronic brain, to command all of the car’s systems such as entertainment, dashboard information and additional services.
Instead there are many computers or Electronic Control Units (ECU) which run specific things, the infotainment system is one of them. The trouble is in some designs (not all) they all sit on the same network and implicitly trust each other, so if you can corrupt one, the rest just trust it and this is amplified in a connected car which is connected to the internet and millions of potential hackers.
Recent experiments have proven that the insecurity of this systems approach is far from theoretical, where one insecure component could be used as an attack vector to gain access to the systems in the rest of the vehicle.
In the latest and perhaps scariest attack, security researchers Chris Valasek and Charlie Miller hacked a Chrysler Jeep remotely, and were able to pull a number of scary stunts, ranging from steering the vehicle through to cutting the engine and the brakes.
They were able to hack into the car remotely by connecting to it over the mobile phone network and compromising uConnect, an infotainment system made by Harman.
In the US, car makers frequently strike deals with mobile providers to keep vehicles connected, but even drivers of cars without such connections may be at risk.
Attacks via DAB
For example, Andy Davis, research director at security firm NCC Group, compromised a connected car’s infotainment unit by creating a Digital Audio Broadcast (DAB) radio station using off-the-shelf components.
DAB stations don’t just send audio data digitally to suitably-equipped vehicle radios. They send other data, too, including images and data describing the radio programme, both of which must be processed by software. Bugs in the software enabled Davis to compromise the device by sending the right code to the device.
Once in, attacks like these are able to affect more than just the infotainment system because of the rudimentary data architecture inside many connected cars. These cars contain hundreds of components, all of which talk to each other over a Controller Area Network (CAN) bus, which acts as a central conduit for in-car communications.
Cutting the brakes on several cars on the motorway becomes possible
The problem with CAN buses is that they often don’t apply any process isolation, meaning that any device listening for information on it would happily accept an incoming signal without verifying that it was sent by an authorised device. That weakness enables attackers to theoretically spoof messages from certain devices to confuse the car while in motion.
These attacks have significant implications for vehicles. DAB stations with enough power can reach lots of vehicles at once, and even a mobile attack could be mounted against multiple vehicles. Stopping the brakes on a heap of cars in one fast-moving section of motorway becomes a distinct possibility.
Vendors will consistently say that they have fixed it, and all is now well. Those who have worked in cybersecurity for years know that systematically fixing bugs is like a game of whack-a-mole, and that new, unexpected vulnerabilities emerge all the time.
Some of them even emerge through aftermarket additions after the car has rolled off the production line. A few years ago, security research firm Argus Cyber Security discovered that a third-party telematics device called the Zubie was sending and receiving data entirely unencrypted, without a digital signature that would authenticate its source. The company demonstrated a proof of concept attack that enabled it to take control of the vehicle.
So how do we secure the connected car?
What can car vendors do to make their vehicles more secure? Ideally, they’ll design security in from the ground up, creating a system in which devices in the vehicle only talk to the devices that they need to. Your airbag triggering system needs to hear from impact sensors in the vehicle, but there’s no reason that it should be taking instructions from the radio, for example. Not only that, but it should have a way of knowing that the sensors instructing it are legitimate devices, and not spoofed signals.
Secure design is the first tier in IBM’s three-layer security model for connected vehicles. The second is secure building, in which manufacturers create trusted supply chains during vehicle production. Finally, secure driving hardens the vehicle during operation, preventing ad hoc attacks.
At the Frankfurt motor show in September 2015, the firm featured its Internet of Things for Automotive system, embodying this three-tier design. It is comprised of two main parts: an in-vehicle gateway that monitors communications between the different electronic components in the vehicle, and a cloud-based analytics system that watches for anomalies both within a single vehicle and across an entire fleet.
“The in-vehicle gateway is a lightweight unit that acts as a broker between other computers in the car,” said IBM’s Gavin Kenny. Instead of everything talking to everything else unmonitored over the CAN bus, the gateway serves as a communications hub, ensuring that only appropriate messages are being sent between components that are authenticated.
This minimises the risk of spoofing, Kenny added. “We can add that intelligence to the system using encryption and authentication.” The gateway can use private/public key pairs that have been produced securely for components during a carefully monitored secure supply chain production process. It also eliminates the risk of aftermarket add-ons compromising the system.
“Garages need the ability to plug into these in-vehicle computer systems to perform maintenance and authorised upgrades or removal of illegal software. Without a well thought out and executed supply chain key management solution a single compromised garage could lose the keys to the kingdom, but our concept provides different keys across a wide range of components removing any single point of failure,” Kenny said.
Encryption and digital signatures help stop parts being replaced with malicious counterfeit components, improving driver safety and protecting from malware embedded in non-authorised equipment, for example.
Watching the car from the cloud
On the cloud side, analytics systems will communicate frequently with the car to monitor activities on the vehicle’s internal systems. Although the in-vehicle gateway will have its own analytics capabilities, the cloud-based system will have more computing muscle power to identify trends over time, and will also be able to compare vehicles for a broader view. It might be able to tell whether large numbers of cars suddenly suffered from an attempted attack via DAB broadcast, for example.
Cloud computing systems can also regularly update the in-vehicle gateway with new security threat information. Today’s cars have lifespans of well over a decade. Over the air updates are standard in many other connected products. Smart phones are regularly updated to make them better than when they were purchased. Cars will require the same capabilities.
This will be an important part of the emerging automotive arms race. With the bad guys who are constantly thinking up news ways to get past your defences.
Also In the future, traditional vehicle makers will be competing with IT companies such as Apple and Google, which are moving into the automotive space. They come from a background of ultra-fast innovation and constantly-connected products – and they’re fixing security problems in their products a lot faster than car vendors are. As a new era dawns for road-going vehicles, incumbent manufacturers will have to put the pedal to the metal to keep up. ®