How cybersecurity is putting the connected car in reverse
It’s official – the automotive industry is being disrupted by new business models and technologies. The frontiers have undoubtedly been shifted, as manufacturers compete to produce driverless and connected cars. Whilst this engineering revolution shows no signs of abating, with the government pledging £20 million to the development of autonomous vehicles only last month, cybersecurity concerns are likely to remain a primary inhibitor to widespread delivery of and consumer adoption of the technology.
Although the concept of the connected car is by no means new, recent research showed that almost half of British drivers are still concerned about the security of driver-aid applications such as cruise control and self-parking. It seems as though this caution is warranted – automotive manufacturers admitted in the same research that there could be a security lag of up to three years before driverless car systems catch up with cyber threats. Given the evidence of flaws in the basic technology itself (Google recently admitted blame for a crash involving its self-driving car), in addition to cyber-security issues, it’s easy to understand the sustained consumer scepticism around autonomous vehicles.
IoT: giving hackers the green light
A significant reason for these cyber-threats plaguing the minds of consumers is the proliferation of the Internet of Things. This is a phenomenon which has facilitated opportunities for monetisation in a wide range of industries and automotive manufacturing is no different. In fact, McKinsey predicts that a movement towards connectivity in the automotive industry could result in up to $1.5 trillion in extra revenue by 2030.
Gartner predicts that 6.4 billion connected devices will be in use this year, an increasing portion of which will be cars, which are also set to dominate the early stages of 5G rollouts. However, the growing number of connected vehicles equals additional access points to a network potentially giving control of another person’s vehicle and containing an abundance of valuable data, creating more and more opportunities for hackers.
Cyber-threats are putting the brakes on adoption
Consequences of a breach could be wide ranging, from compromising the controls of a single vehicle to bringing entire cities to a standstill. Whilst taking physical control of a car will not bring financial reward, it could cause chaos in major locations. As vehicles increasingly become connected to the critical transport infrastructure, the potential for hostile groups to cause damage is ever-more viable. Undoubtedly, the importance of implementing effective security protocols takes on additional significance when human life is endangered.
The importance of cyber-security in connected and autonomous vehicles is demonstrated by the speed at which hackers formulate new methods, matching innovations developed by manufacturers. For example, some thieves are exploiting keyless entry systems with 'amplification attacks', which use a device to 'amplify' the signal generated by a key-less remote to open a car's doors. Alternatively, thieves intercept a door code using a device planted nearby, that is then used to break into the car later.
Whilst driver safety has to be the biggest consideration, data security cannot be ignored, given the rise in wireless communications between cars and manufacturers (for simple things such as traffic updates). As connected vehicles become more advanced and integrated with other devices and systems, the amount of data travelling throughout the supply chain is set to rocket. Therefore, if a hacker is able to infiltrate any of these potential access points, they would have access to all this data, which could include personal and financial details.
Can manufacturers accelerate past the hackers?
Due to threats to consumer safety, manufacturers have been investing heavily in security and conducting extensive testing to prove new-age vehicles can cope. The difficulty for manufacturers is that there will be technologies from multiple vendors that need integrating for the driverless car to function – such as cameras, navigation systems and ‘infotainment’ systems. Although some measures are being taken to separate vehicle control networks from other systems, manufacturers will need to impose stringent controls across vendors to ensure that integration areas do not become points of weakness.
Some manufacturers, such as Tesla and more recently General Motors, have implemented ‘bug bounty’ programmes, which can offer financial rewards for hackers to reveal flaws and bugs in company software code, although these schemes have not yet extended to flaw finding in the infrastructure of the actual vehicles. Whether this represents a move in the right direction or a sign that car manufacturers are struggling to keep up remains to be seen.
Despite major automotive organisations having some of the best technologies for defending against cyberattacks in place, many still succumb to attacks due to the constantly evolving nature of the threats. Existing technologies will likely provide sufficient protection for the driverless car, however, new methods of attack will inevitably be developed. The real challenge will be ensuring security technology keeps up.
Although the UK government is investing heavily in smart car technology, scepticism is likely to remain for the time being. Ultimately, consumer confidence in the security and safety of the driverless car will determine adoption. To prepare for the arrival of autonomous vehicles, companies need to enforce standards across vendors and establish partnerships with experts to stay ahead of evolving threats and keep consumers and their data safe.
Gary Newe is the Technical Director at F5 Networks