A road less taken: cyber security for connected cars

What once seemed niche, far-fetched and even futuristic is now central to the immediate roadmap of almost every automotive manufacturer in the world.

In reality, connected cars are not all that new: telemetry, sensors, even performance data have been part of automotive DNAfor years.

To integrate the connected experience into everyday situations, carmakers are adopting new trends in smartphone integration, embedded modems, and vehicle-to-vehicle communications. However, as the technology of the car transforms from a ‘dumb’ metal structure and mechanical parts to a ‘smart’ hardware-software computing platform, the outcome isn’t just an increase in functions and services, but significant increases in vulnerability as well.

Over the past few years, automotive security threats have now gone from theory to reality. While still an emerging consideration in India, Gartner predicted that there will be 220 million connected cars on the road by 2020. Who knows you might be driving one of them?

The Threats

Currently, most vehicles are equipped with dozens to near hundreds of modules on the in-vehicle networks (IVN), including engine control units and body control modules that provide critical functionality for control and safety of the vehicle. While new technologies take hold and start to proliferate with a promise to enhance the driving experience, hackers and attackers are never far behind, indicating that the need to protect all of those connected devices has never been so necessary or urgent.

Even as automakers segregate IVN, harden critical modules, and begin embedding faster and more secure cryptography for IVN, attackers have already demonstrated how to defeat IVNgateways. Staying ahead of such adversaries requires sophisticated analytics capability, embedded directly in the car or on a dongle connected to the car, to detect the sophisticated adversaries who have already reverse-engineered your vehicles before beginning to attack the fleet of vehicles representing your brand.

Tech-savvy thieves have stolen cars in the past. Online videos show hackers remotely taking control of cars in ways that can endanger drivers and passengers. Symantec’s Internet Security Threat Report Vol.21 highlighted the related vulnerabilities.

Over the past year, we have seen an increase in proof-of-concept attacks and growing numbers of IoTattacks in the wild. In numerous cases, the vulnerabilities were obvious and all too easy to exploit. Many issues stem from how securely vendors implemented mechanisms for authentication and encryption (or not). For instance, Fiat Chrysler recalled 1.4 million vehicles after researchers demonstrated a proof-of-concept attack where they managed to take control of the vehicle remotely. In the UK, thieves used hacked keyless entry systems to steal cars.

Symantec understands the risks that automakers and suppliers face and can determine a strategy for protecting cars. By leveraging Symantec’s experience in embedded security such as ‘Managed Public Key Infrastructure’, bringing security into the car can now become a reality.

The Road Ahead

No single silver bullet can ever deliver truly effective security. Staying ahead of such adversaries requires several security technologies: authentication, cryptographic control of the code for each module, hardening of each module, and sophisticated analytics capability, embedded directly in the car to help ensure the much-required safety.

Advanced machine learning techniques will be critical to success as we look to secure the connected vehicles. There is a great need to build long-term comprehensive security all while delivering ground-breaking protection for cars today. The same includes learning the vehicle’s behaviour in a deeper, more precise way, enabling automakers to see previously unseen attacks. Recognising the required support to address industry needs, Symantec introduced ‘Anomaly Detection for Automotive’ that proactively identifies threats and monitors vehicle network for suspicious behaviour. As connected automobiles become the norm, security issues have already drawn attention of the industry. To ensure the same, it is imperative that security firms and car manufacturers collaborate to help secure the future automobile.

The Mitigation Strategies

Car owners who are concerned about these issues can take a number of steps to decrease the likelihood of attack. Here's how you can do that:

- Keep your vehicle software up-to-date. Software updates will frequently include patches to newly discovered security vulnerabilities that could be exploited by attackers.

- Exercise caution when connecting diagnostic or telematics dongles to your vehicle. Connecting these type of accessories to your car opens a door to attackers into its CAN bus network.

- Avoid connecting untrusted devices to your car’s infotainment systems, such as USB sticks, phones, or media players. Similarly, if your car has network connectivity, avoid connecting it to untrusted networks

Driven by opportunity, vehicle manufacturers and their suppliers will partner with cyber security vendors on securing connected cars as they would with any other networked endpoint such as mobile devices and laptops. Keeping security top of mind will not only help ensure the safety of drivers and passengers but also build trust in the car manufacturers and the overall Internet of Things’ ecosystem.

This article was first published in Autocar Professional's November 1, 2016, issue.

You may like: How telematics can enhance vehicle security