As vehicles increasingly become technology-centric, manufacturers must make cybersecurity a priority for the security of passengers and data
Tesla recently demonstrated its new electric pickup vehicle, the “Cybertruck,” which polarized public opinion. Some said it looks like a child’s sketch come to life, while others consider it a vision of the future. There were also concerns about the safety of the unusual cube-like design, as the prototype lacks windshield wipers, turn signals and side mirrors. Whichever side you’re on, given Tesla’s ability to set trends, it’s possible this design could influence what vehicles will look like in the future.
Whatever your opinion, the use of the term “cyber” in the name couldn’t be more relevant. Today, more and more cars are becoming cyber cars, and in the future, it’s likely that you’ll be able to describe every vehicle this way. This doesn’t mean that they will all have a polygonal cyberpunk-like design. It means that the focus of the car’s operating process will rely on digital systems, both inside and outside the car. So, the logical question here is, how secure will all those cyber cars of the future be?
Based on our experience working with car manufacturers on penetration testing and vulnerability research, there are two primary areas of concern for vehicle security.
Impact on Vehicle Safety
One of the biggest worries is that someone can exploit vulnerabilities in a car’s system to take over its control or manipulate its functions. That’s why car manufacturers absolutely need to conduct regular assessments and penetration tests to detect vulnerabilities before a vehicle is released. They should also ensure that all components that can affect vehicle security are tested.
If any security issues are found in already-released vehicles, the best practice is to enable over-the-air (OTA) updates. With this approach, patching a car’s software resembles the way we update the software on our smartphones, allowing us to install necessary updates remotely, without the need to go in for a service. Provided the communication channel between the car manufacturer and the car is reliably protected, this is quite good practice.
OTA updates are still not commonplace in the auto market. It’s a real challenge to deploy rapid security updates that comply with quality and safety requirements for the range of electronic control units that are embedded in various automotive systems. In case OTA update distribution isn’t possible, we recommend deploying intrusion detection and prevention security modules to ECUs. This allows virtual patching alongside protection of in-vehicle systems, including connected devices, communications and applications.
Car manufacturers should also introduce bug bounty programs, so third-party researchers can report issues to resolve before threat actors are aware of them. The good news is that some carmakers already support these initiatives. We hope that this step can transform from a good option to an industry standard soon.
Private Data Exfiltration
Data is a second form of fuel for a connected car. The more contextual information the car has, the smarter the decisions it can make on the road. For example, there are infotainment systems and telematics units that control the tracking of a car. They can collect and transmit, to the car manufacturer or app developer, a vehicle’s GPS location, mobile data, driver style information and voice assistant recordings, as well as communications.
Car location, the driver’s favorite routes and destinations, paired smartphone data and in-vehicle camera and microphone data are held both by the vehicle itself and in the wider ecosystem. This can be a tempting target for malefactors. If this private information is in the wrong hands, it can be used for stalking or blackmailing. Even if we set cybercriminals aside, the privacy of the owner of a smart car is now a serious question. Consumers are increasingly concerned about how the data they generate, on the road or otherwise, will be used.
Connectivity affects not only new cars but used ones as well. For example, it has been proven already that connected cars are introducing some privacy risks for a forgetful owner. When a connected car is sold second-hand, it can be possible for the new driver to access all of the same apps and data as the previous owner, if that person didn’t log out. This could even compromise accounts that contain credit card info.
So car manufacturers have a new asset to deal with—their customer’s private data. What happens if this data leaks? Do car manufacturers have a plan for how to deal with these privacy issues? To deal with these challenges, encryption of a vehicle’s communication networks when transmitting sensitive data outside a car is a good place to start.
Driving Automotive Cybersecurity
The development of connected vehicles is incredibly exciting and combines two of my favorite interests: cars and technological innovation. We are now seeing how advancements in technology are driving the development of the automotive industry. For example, a neural network can now be trained to recognize anomalies in regular operating conditions through telemetry from a car engine.
The cybersecurity posture of a vehicle will soon become a competitive advantage for car manufacturers since customers are now much more concerned about privacy issues. Besides that, some security issues can pose danger to physical safety, which is the main factor for the majority of the public when choosing a car. For these reasons, it’s becoming very important for an automotive company to show what it’s doing to protect the drivers of its cars from security risks.
So if you ask me what makes a car a cyber car, I’d say that it is not simply a sci-fi or retro-sci-fi look. It is not the ability to drag another truck uphill or have cameras instead of rear-view mirrors. I’d say it is the ability of the car to cope with the challenges that connectivity and smart ecosystems bring to the way a car is produced, sold and used. Such cars have yet to arrive on the market but when the cybersecurity and automotive industries collaborate, that will happen very soon.