Dude, How Secure Is My Connected Car?
With connected cars becoming more common, experts say vehicle manufacturers should adopt security best practices used by mobile device makers.
The driverless car may be here before we know it. A county in Iowa, wanting to be in the forefront of autonomous vehicles, has already passed a resolution to allow them on its streets, reports USA Today. An official quoted in the story predicts driverless cars will hit the mainstream in five to 10 years.
Though not driving by themselves, already connected cars – also called smart cars -- can perform some tasks once done by humans. Manufacturers like Audi are outfitting their latest models with slick technology. The 2015 Audi A3 sedan features a 4G LTE data connection, which allows drivers to stream personalized RSS news feeds, social media alerts and more. General Motors just announced that 10 of its vehicles will feature 4G LTE connectivity.
Smart cars will be a key component of the Internet of Things, a "network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment," according to Gartner.
Smart car technology is at a "tremendous transition point right now," said Scott Morrison, SVP and distinguished engineer at Layer 7 Technologies, a CA Technologies company.
Companies like Microsoft and Apple are keen to capitalize on the trend by producing versions of their operating systems geared toward auto manufacturers. Microsoft recently demonstrated its progress toward producing a version of Windows for cars at a developers' conference. Ferrari, Mercedes-Benz and Volvo are offering Apple's CarPlay, which integrates iPhone functionality into automobiles, in their newest models, and about a dozen other manufacturers have announced plans to do so. A group called the Open Automotive Alliance, with members including General Motors, Honda and Nissan, is committed to bringing the Android platform to cars.
Learning from Mobile Security
Naturally, this poses security and privacy challenges. Charlie Miller, a security researcher at Twitter, and Chris Valasek, director of Security Intelligence at IOActive, last summer demonstrated how they were able to hack into a 2010 Toyota Prius and 2010 Ford Escape and take control of the vehicles' electronic systems. The good news: After releasing a whitepaper detailing how they did it, the two men built a prototype vehicle "intrusion prevention device" that they plan to bring to the Black Hat conference in Las Vegas this week.
Fortunately, connected cars can benefit from security practices employed with mobile devices, Morrison said. Similar to such devices, smart cars will likely use a mix of vendor and third-party software. Both iOS and Android, the two primary operating systems for mobile devices, do a nice job of separating mission-critical apps from the operating environment, he said.
"They are sandboxed by design, which is the key to building a strong OS," Morrison said. "We must continue to use that model to enjoy the same level of separation. We do not want general apps to interfere with mission-critical ones."
Another mobile security practice that will likely be adopted by vehicle manufacturers will be rolling security updates. This will differ dramatically from how manufacturers currently conduct auto safety recalls, Morrison said.
"Right now there is a lot of hassle in how manufacturers initiate change. You cannot have the same level of ceremony in updating an OS; you need to be able to push it out faster," he said. Despite this, he noted, manufacturers will probably not want to put the process completely in the hands of users. "Finding the appropriate balance between user control and manufacturer control will be key. Updates are generally pretty fast and seamless in the mobile world, and that is what the automotive industry needs to get to."
Keeping It Cohesive
Encryption is another security best practice that will be important for connected cars, for both protecting a user's sensitive data and an automaker's intellectual property, said Johannes Lintzen, a regional sales director for Utimaco. Automakers will want to leverage key management technologies, to ensure that sensitive information being exchanged between connected cars and underlying infrastructure is appropriately encrypted.
Vehicle manufacturers can also leverage management technologies to ensure that communications are given the proper priority. A message to a smart car's emergency brake system obviously is more critical than one to its stereo system, for example.
The good news is, automakers and other companies involved in producing connected cars already seem to realize the importance of proactively tackling these security issues, Lintzen said.
"All the players in the automotive space seem to be aware of the importance of having best-of-breed security from the earliest phases when solutions are being architected. You can bolt it on later, but it will not be as effective," he said.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.e
By Jeff Goldman
June 17, 2014
An undisclosed number of customers' Social Security numbers and birthdates were accessed.