Connected cars are set to take the UK by storm. With announcements from well-known organisations such as Ford, Tesla and even Google on their intentions to build fully-functioning autonomous vehicles, we are on track to have more than 380 million connected cars on the road by 2021. In fact, approximately 12 percent of all cars on the roads are predicted to be connected to the Internet by the end of the year,which will set connected cars to be one of the biggest exponents of the Internet of Things (IoT) revolution. In fact, smartphone penetration has hit a saturation point in many western countries and mobile-industry consultant, Chetan Sharma, has said that more cars were added to mobile networks in the US than mobile phone handsets in the first quarter of this year.
Public safety breach
Whilst the market is firmly in fifth gear, the security that underpins connected car technology is still spluttering in second, at best. There have already been several ‘stunt hacks'; a key example of this was with Jeep last year in which hackers took over the car's controls wirelessly and sent commands through the entertainment system. This enabled access to its dashboard functions, steering, brakes, and transmission with the driver unable to override them.
Until now, security and safety have been considered two completely separate entities. Unlike high profile breaches of companies such as Home Depot and Sony, which were confined to legal ramification and a knock to consumer confidence, the potential breach of a connected car could lead to physical harm. This is – along with medical devices and critical infrastructure – is one of the first times that computer security is intersecting with public safety, with serious ramifications.
Automotive manufacturers have been focusing so much on adding functionality and usability to products that they haven't taken the time to suitably consider the threats. A shift in focus is needed. Manufacturers must start placing security at the fore and take the potential impact on human safety more seriously.
It seems that automotive manufacturers have relied on the idea that physically getting hold of a car to deconstruct it and find vulnerabilities is expensive, so bad guys haven't yet targeted them. Whilst this may reduce the potential for curious teenage hackers, it certainly won't prevent black-hat security researchers, organised crime syndicates or state-sponsored attacks. However, even this view is short sighted. Now, many of the systems being installed on connected cars can be downloaded from the internet and therefore are accessible to all, including those with unpleasant intentions.
Changes in the information security landscape
The information security landscape has changed. Back in the mid-90s, firewalls were sufficient in keeping nasties out of your systems. This worked well until software became the target and the perimeter came down. Now the root problem is found within the aspect of design and implementation at the software level, where the vulnerabilities typically manifest themselves from within the code when it is written.
A more proactive approach of undertaking security in 2016 is identifying where the vulnerabilities are within the code, followed by recommending changes to remove the issue. This means that indicators of vulnerability can be fixed before the product – whether a connected car, mobile phone or fridge – goes onto the market.
Root of the problem
Whilst the attacks on connected cars have so far been limited to stunt hacks, it is no stretch of the imagination that criminals could employ a similar technique to that of the Jeep hack to gain access and take control of a car innocently parked on your driveway. To minimise the risk, it is imperative that quality assurance and security is embedded across the development lifecycle, especially as requirements and architecture are being designed, to ensure that robust security protection is included throughout the process from the very beginning.
Whilst a potential bug in the code is usually an unintentional failing of the testing process that could be exploited at a later date, there are fears that it could be placed intentionally from within the supply chain. Due to the number of relatively small components used by connected cars, there is great temptation for manufacturers to rely on open source libraries. However, this open source code – which by its very definition could be reused again and again – could have been written by anonymous coders (amongst a cast of 100 legitimate ones). These coders could be playing the long game by allowing bad guys in the future to infiltrate through a back door they may have placed into the system years before. This method may sound farsighted, but it unfortunately does take place.
Testing the system for security vulnerabilities can take on various forms. This could be through undertaking a port scan to detect open ports, and similarly which services are running on them, and then looking for known vulnerabilities. It could be using fuzzing to find weaknesses, where coding errors and security loopholes are discovered by firing large amounts of random data at a system in an attempt to make it crash. Other times, it can be as straightforward as connecting to the car and sniffing the data in order to reverse engineer it to find flaws.
An ongoing battle
The truth is that security is an ever-changing process, it is not a complete solution nor can a system ever be truly 100 percent secure. In the commercial space, we are accustomed to routinely patching our systems. New vulnerabilities and methods of attacks are constantly being developed and discovered. Yet, until now automotive manufacturers have been complacent in their attitude to security. It was, more often than not, a token gesture tacked on at the end – not taken seriously and not built-in from the start. Attention must be placed upon ensuring quality assurance testing is conducted at regular intervals to highlight any weaknesses. The reality is that the cost of testing is small price to pay when it comes to ensuring public safety.
Contributed by Stephen Morrow, principle security consultant, SQS