It’s human nature to respond in a manner of self-protection when facing dangerous situations. We have built-in reflexes to flinch, nerves to feel pain and the foresight to understand potential complications of actions that are about to be taken. So how many incidents does it for automotive manufactures to react in a mannerism that shifts priority to security and ultimately, the safety of the end user over convenience?
Smart vehicles are at a stand-off. Manufactures are engineering copious amounts of features into new cars improving fuel economy, road safety features and crafting a luxurious user experience. On the other hand, the security guarding these systems has been dealt the short hand of the stick. Just look at cases such as the remote proof-of-concept attacks by researchers demonstrating abilities to steer a Jeep off-road into the trenches, or the capability of remotely unlocking the BMW ConnectedDrive. Combined, these two incidents caused a recall of 3.6 million cars globally to ensure the safety of the end user. As well as the severe financial burden involved in a global recall, nobody wants to be developing a reputation for insecure vehicle systems.
Insecurities in connected vehicles are becoming a more apparent problem as technology pushes forward. The CAN bus is a centralized network controlling the ECUs throughout most European cars to date. The problem is, the CAN bus system was initially designed by Bosch in 1986, and whilst it has had major updates since then – it was not designed with robust security from the ground up. When security adjustments come as an afterthought, it leaves metaphorical holes in bucket that was just filled with water.
The above visualization is showing the high-level architecture of a smart car, including access ports for USB devices. All of the represented components pose a risk, whether it’s safety, security or privacy concerns as a result of becoming compromised. Approached with malicious intent, capabilities could be granted to improperly engage braking systems, manipulate any number of ECUs in a vehicle (With modern vehicles having around 100 ECUs) and multiply the risk in hazardous driving conditions. It could essentially be a very bad day for the passengers involved.
The UK has taken a step forward last year by implementing a new set of guidelines ensuring the complete security of connected vehicles. The transport minister Lord Callahan stated “Whether we’re turning vehicles into wifi connected hotspots or equipping them with millions of lines of code to become fully automated, it is important that they are protected against cyber-attacks.” These new guidelines instil principles hoping to ensure a harmonious relationship between manufactures and possible 3rd parties to create resilient vehicles, capable of handling corrupt, invalid or malicious data commands.
Globally, the automotive industry will need to adapt rapidly. Testing needs to be undertaken to ensure metaphorical bucket-holes are not just patched up, but redesigned to withstand the weight of the water. With every new feature implemented, it becomes the responsibility of the manufacturers to protect their customers from malicious attacks by ensuring their products have addressed all of the potential security risks. Are smart cars going down a dangerous road? Without increased importance placed on secure systems, definitely. Otherwise it’s a long road that ends up in a real-life version of the aforementioned Jeep scenario. It must become a human reflex not only to fortify our physical protection, but also our cyber protection to maintain our safety.
Applied Risk has extensive knowledge of embedded device security within the IIoT domain. See how Applied Risk can help you secure smart vehicles and the corresponding smart infrastructure through our IoT Security Assurance Services.