Baby, Who Can Drive My Car?

This is the third post in our IoT blog series. Read the first post about IoT in healthcare and the second post about smart cities here.

Driverless cars have long been a feature in science fiction – and over the past few years, they’ve become a reality, with the major motor manufacturers developing and showcasing autonomous vehicles, with the vision of making road travel cleaner, more efficient and safer.

While we have yet to see the truly driverless car on public roads, the cars that most of us drive every day are already far more intelligent and connected than we may realize.  And that connectivity can present a significant cybersecurity risk.

A typical new car today is packed with digital technology, including GPS navigation systems, Bluetooth connectivity for pairing mobile phones and entertainment systems, 4G Wifi hotspots to enable on-the-road internet access, collision avoidance systems, assisted parking, remote diagnostics to alert drivers to maintenance issues, and much more.  What’s more, it’s not unusual for a new car to have 10 or more electronic control units (effectively, mini computers with processors and memory chips) to control functions such as the engine’s electronics; the transmission; suspension, steering and braking systems; active safety systems; entertainment systems and more.

Gartner has predicted that, by 2020, 61 million of the new cars shipped globally will incorporate data connectivity, either through a built-in communications module or by a tether to a mobile device.  These are features that were once reserved for the most high-end, luxury vehicles, but now they are standard fittings in even entry-level cars.  And they all involve wireless data communications that can potentially be intercepted by malicious hackers.

 The kill switch

This interception was demonstrated to devastating effect by ‘white hat’ hackers – security researchers – in 2015. They managed to remotely take control of a Jeep Cherokee – prompting Chrysler to recall 1.4 million vehicles. A maliciously motivated attack of this place has yet to occur – but the FBI, Department of Transportation, and National Highway Traffic Safety Administration have still seen fit to issue a memo exploring the specific dangers of connected vehicles. As they underline, a cybercriminal has only to disable a car’s steering or brakes, shut down the engine or manipulate other on-board systems to cause huge damage, disruption and danger.

Connected and Self-driving cars legislation has started to pick a momentum while cybersecurity is one of the hot topics it deals with. The House of Representatives has recently published a Self-Drive act as to improve NHTSA’s “ability to adapt federal safety standards to this emerging technology, and clarify federal and state roles with respect to self-driving cars.” The United Kingdom has also recently published Laws of robotics for self-driving cars in the form of “Key principals of vehicle cyber security for connected and automated vehicles”.

Essentially, this plethora of connected technology has turned cars into moving endpoints, with a rich selection of potential vulnerability points for cybercriminals to target. And whether those criminals’ aim is to endanger lives, harvest valuable personal information or simply to commit digital vandalism, the implications for drivers and vehicle manufacturers are severe.

The wider infrastructure

It’s important, also, to consider the digital infrastructure in which these connected cars sit. As vehicles become ever more connected, so too will the infrastructure they operate in. We can already see the development of so-called smart motorways and city parking systems, as urban planners and engineers seek to reduce congestion, improve safety and meet carbon targets. As smart cities continue to develop and more data needs to be collected to power innovative new services, the lines of communication between vehicles and places will become ever more complex.

In turn, this forces several disparate parties – connectivity providers, infrastructure systems and vehicle manufacturers – to work closely together. Their technologies have to integrate with each other to share information – and they also have to be able to do this securely. If data is not encrypted in transit, for example, then it becomes a prime target for cybercriminals – but actually enforcing that encryption requires a great deal of collaborative working.

Then there are the third party applications that are increasingly likely to be embedded in connected vehicles. The Internet of Things (IoT) offers great potential for companies running fleets of commercial vehicles to improve processes, by monitoring the temperature of transported goods, for example, or analyzing driver behavior.  However, if information is being collected by vehicles and transmitted to external, cloud-based analytics engines then there are opportunities for cybercriminals to intercept that data, particularly if it is not encrypted or protected during transmission.

Essentially, the more the connected car ecosystem generates, collects, transmits, stores and analyzes digital data, the more temptation there is for cybercriminals to attempt to compromise that data, whether for extortion, damage and destruction, or building value to sell on. Likewise, the more connected devices are embedded in cars and the landscapes they drive through, the more endpoints there are for those cybercriminals to attempt to tap into.

Securing connected cars

What, then, is the answer? For connected cars to provide the efficiency and safety benefits they promise without compromising driver and passenger safety, or data integrity, the complex networks of organizations involved in the car industry need to work together and prioritize cybersecurity.  Collaborations between vendors such as Check Point and Argus are improving security by protecting vehicles’ internal networks, and their external connections.  And working groups like the HDBaseT Alliance have been established to define new cybersecurity industry standards for the sector, and are co-developing solutions that address issues like network configuration, firewalling, securing third party solutions and security level ranking.

Check Point is a part of the HDBaseT alliance, and contributing to solutions that can ensure that connected cars have robust network segregation, firewalling, and secure external communications, helping to deliver a safer connected car landscape – for every road user.