Earlier this year, we published a piece about the need for a cybersecurity wake-up call in the automotive industry. The focal point of the story was a report on the industry by Synopsys that brought up critical red flags for all organizations operating within the automotive supply chain.
Fast forward to just over half a year later (an eternity in the tech world), and there appears to be more cause for optimism.
I reached out again to Chris Clark of Synopsys not only to get a pulse on where everything stood but also to check on the state of connected car security from the perspective of the consumer. Clark told me that since we last spoke in February, the industry has been very quick to react to the security challenges that are being brought up.
“When you have an organization like Volkswagen coming out and stating that not only is the future of vehicle development critical to the organization, but so is the safety and security of the vehicles that are being developed by the organization, that says something,” he said.
Keeping Up With Ever-Changing Car Tech
According to Clark, one of the biggest security challenges for the industry is the long delay between a vehicle’s conceptual beginnings and its eventual launch, which can often be five years. During that time, newer security technologies come into play, so the original equipment manufacturers (OEMs) and other organizations in the supply chain are thinking more about security along the way.
“They’re making some pretty significant steps forward,” Clark said. “Part of the challenge is when you look at designing a vehicle and look at security from the ground up, you have to look at the chips that are driving that system. If there’s weaknesses in the chip level it doesn’t really matter how much security you put on top of it, there’s still a weakness.”
Recently, he said, chip manufacturers have been urged to provide much more robust, secure solutions.
“We will start to see this more in safety-critical environments, especially with multi-core processing required for vision systems and other sensor-mesh-type technologies. The industry is reacting pretty quickly, and it’s pretty impressive to see so far,” Clark added.
A Network on Wheels
Remember, the automobile of today — even the most basic recently released vehicle — is driven by computers. Whether it’s cruise control, lane management, lane metering or the infotainment system, there’s a computer driving it. According to Clark, when we talk about a car, it’s really a “network on wheels with a bunch of computers.”
The focus of that network for most vehicles is, perhaps surprisingly, the infotainment system. And it’s not just 5G connectivity; smart vehicles armed with Zigbee can connect with smart home systems. For example, when cars get closer to home, they can interact with home infrastructure and communicate about the state of the vehicle to the owner.
And, like any network, it’s worth mentioning that the automobile is now harvesting a significant amount of data. Researchers have even been successful in retrieving personally identifiable information (PII) from rental car vehicles.
We don’t think about this enough — I recall renting a car last year, and I definitely plugged my smartphone into the CarPlay system. Did I leave any personal information in the car’s brain? I admit my heart missed a few beats when Clark brought this up.
Any enterprise with a fleet of vehicles to offer employees must consider this privacy issue as well.
Connected Car Security Baked In From the Start
As for general connected car security, auto manufacturers should begin with the fundamental activities in the vehicle design process. Tools like fuzz testing and static code analysis should be standard, and they’re on the verge of standardization across manufacturers.
Also critical for auto manufacturers is managing the technical debt once the vehicle has left production. In many cases, the only time when a vehicle gets serviced is at the dealer — at which point, it will often get a software update.
“Organizations have to look at how to manage the software in those cars over the lifespan of the vehicle,” Clark said. “So virtualization is going to play a key role in that.”
Because manufacturers can’t keep every version of their vehicle in the lot to pull for testing, Clark advised creating a virtualized environment to mimic the vehicle. Then, they can perform the level of testing required to manage security vulnerabilities as they arise over the vehicle’s lifespan. While this represents a serious challenge for the current crop of cars, it will become easier for vehicles in future years when more virtualized environments in which to work become available.
Finally, in addressing the various hacks that have affected the industry, Clark has seen OEMs approach the problem in many different ways.
“Diversity is really good when you start talking about security,” said Clark. “As these diverse methods start to mature and we see some methods working better than others, we’ll start to see providers across the board arrive at standardized development methodologies and technology solutions that benefit the consumer in the end.”
Practical Advice for the Consumer
For consumers looking to buy a “smarter” car, there are numerous options and features that can easily overwhelm even the savviest of car buffs. According to Clark, there are a few questions you should ask yourself:
- Does the vehicle have a track record with some potential for service and support over the duration of its life cycle?
- Does the vehicle have the technology attributes that I find interesting, and does it integrate with my home, my phone and my general lifestyle?
- If there are a lot more electronics in this vehicle than there are in most, what will that look like from an insurance perspective?
That last question warrants further discussion. Synopsys is predicting a boost in consumer interest around reasonable cybersecurity requirements for a vehicle, especially when they start looking at their insurance bills after the purchase.
“Typically, most consumers only react when they feel a financial hit from it, and where they’re going to feel that is insurance,” Clark said, noting that the insurance industry is taking a very close look at future vehicles. “There’s been substantial work occurring over the last three years for the insurance industry to look at cybersecurity as it relates to not only autonomous vehicles, but also vehicles that have more electronics than they ever have before.”
As vehicles move toward full autonomy with features like self-repair and self-diagnostics, security and safety will certainly factor into insurance rates. This will inevitability factor into consumers’ financial decisions as well.
Optimism Remains Despite Deep Threats
During the writing of this story, CNN reported an FBI warning stating that “the automotive industry likely will face a wide range of cyber threats and malicious activity in the near future.”
This is certainly sounding the alarm, but when you stop to think about it, what industry isn’t being targeted by cyberthreats? I don’t doubt that we must be cautious, but doesn’t that solidify the argument that we all need to pay more attention to cybersecurity in general? Thankfully, Clark told me that all the automobile providers are developing a universal vernacular for how they share information about connected car security requirements.
“The industry is starting to align with common language that they can share for a clear and consistent understanding of what’s being asked,” he said. “That’s a major jump forward from what we’ve seen in the last couple of years.”
With so much pessimism surrounding the state of the threat landscape in the industry, it’s sure encouraging to hear that manufacturers are embracing security concepts more than ever before. Still, the industry can’t afford to take its foot off the cybersecurity gas pedal.
The post Connected Car Security Is a New Kind of Mobile Security Risk appeared first on Security Intelligence.