Manufacturers are not doing enough to protect their connected cars against malicious cyber attacks. That is the opinion of most of the security experts gathered at the 2018 Geneva International Motor Show.
The cyber threat
Official UK data suggests that vehicle theft has risen by around 30% as criminals use new technology to break into cars. For example, “relay car hackers” use radio transmitters to intercept the signal from a car key, often succeeding in gaining access to a vehicle in less than a minute.
Malware is another commonly used ploy. Falling victim can take no more than registering for a bogus free Wi-Fi service, which is all that is required for criminals to take complete control of your car.
What is really worrying is that criminals don’t need to acquire special expertise or invest in sophisticated equipment. The reality is that standard smartphones or cheap radio transmitters will provide hackers with all the technology they need to break into most vehicles.
Car theft is far from the only threat, however. A recent report warns that terrorists could hack into connected and autonomous vehicles in order to crash them deliberately.
So what is it that makes connected cars particularly vulnerable? “As cars continue to evolve, essentially becoming motorized computers, they are vulnerable to the very same threats and attacks as home computers, laptops and smartphones,” explains Carlos Moreira, the CEO of WISeKey.
“Unless appropriate cyber security measures are implemented, hackers can remotely access the vehicle's computer system, manipulate the brakes, engine and transmission.”
Snapping turtle technology
One of the most quoted statistics about connected cars is that, collectively, all the built-in software systems contain more than 100 million lines of code. That is twice as many lines of code as CERN’s Large Hadron Collider, the world's most powerful particle accelerator, and seven times more than the Boeing 787 Dreamliner.
“You can’t secure every line of code,” says Chuck Brokish of Green Hills Software, “but you can identify critical components.”
Brokish compares car security to the snapping turtles in his native Wisconsin. He claims that the amphibians combine powerful jaws with a shell so hard that cars can run over them without doing any damage.
Flip the turtles over, however, and their soft bellies make them extremely vulnerable, he says. Brokish likens this to the “medium robustness” security systems of connected cars, which offer protection against casual attacks but cannot cope with a targeted onslaught.
The experts say that connected cars should be fitted with security systems and mechanisms that provide the most stringent protection and rigorous security countermeasures. They are not.
“It’s like leaving your front door open,” says Manfred Kunz of Marvell, “and expecting someone in your living-room to protect your home.”
Creating a security-conscious culture
Promon founder Tom Lysemose Hansen says the lack of adequate protection can be hard to understand: “Various security-first practices, such as those for example already used in mobile banking, mobile payment or mobile authentication, could greatly reduce the risk of such an attack”.
All the experts we met agreed that protecting vehicles against cyber threats poses an enormous challenge that requires close and constant cooperation between a number of organizations, automotive and original equipment manufacturers (OEMs), software companies and security solution providers.
Alex Manea, the Chief Security Officer of BlackBerry, urges manufacturers to authenticate every chip and electronic control unit and ensure they are loaded only with trusted software. Regular health checks via analytics and diagnostics software are essential, but he argues that the critical factor currently lacking in the industry is a security-conscious corporate culture.
“Ensure that every organization involved in supplying auto electronics is trained in safety and security with best practices to inculcate this culture within the organization”, says Manea.
The role of International Standards
The message coming out of the Geneva International Motor Show is that more car makers should take responsibility for cyber security. The consensus among the analysts is that many manufacturers are only willing to do the minimum as security can be expensive.
In the end it will come down to whether consumers are prepared to pay more to move beyond snapping turtle technology. There are signs that this may be the case.
A recent report identifies consumer concerns about cyber security and safety as a significant barrier to continued growth in the connected car sector. Thirty-one per cent of respondents to Foley’s 2017 Connected Cars and Autonomous Vehicles Survey identified these concerns as the biggest obstacle to buying connected cars.
International Standards already provide manufacturers with the best practice guidelines they need to step up cyber security.
In this respect, the United Nations Economic Commission for Europe (UNECE) document on System Security Principles for Intelligent Transport System and Connected and Automated Vehicles highlights the important role played by the IEC in providing the tools to protect against cyber attacks. IEC develops International Standards for information technology, together with ISO. It lists no fewer than 11 ISO/IEC JTC 1 applicable Standards and guidance documents.