Can automakers learn to embrace cyber security?

A group of IT security researchers have called upon the car industry to ensure cars are built to withstand attacks from cyber criminals.

The group, which calls itself I am the Cavalry, formed at last year’s Def Con security conference to try to promote greater cooperation between the IT security community and the consumer goods manufacturers. It has written an open letter to the CEOs of the major car companies, urging them to take the issue of automotive cyber security more seriously. Specifically, it is asking automakers to sign up to the Five Star Automotive Cyber Safety Program which sets out five key ways the industry can make its products safer. These include: safety by design, third-party collaboration, evidence capture, security updates, and segmentation and isolation.

The modern vehicle is effectively a computer on wheels. It is heavily controlled by software and embedded devices and increasingly connected to the internet in order to take benefit from a growing number of infotainment and safety applications. Just like any other computer connected to the web, the modern car is capable of being hacked.

Should we be worried? Probably. At the extreme end of the threat spectrum is terrorism. The advent of vehicle connectivity happens to coincide with the replacement of previously mechanically governed systems (brakes, steering, throttle control) with electronically governed by-wire systems. It will (in theory) be possible for determined, well resourced terrorists to make vehicles crash. Regardless of how many fatalities resulted, it is likely that thousands of people would be fearful of using their vehicles for a time and the resulting disruption and economic damage could be significant. Of course such an attack would require extraordinary coordination and would be fiendishly difficult to carry out – perhaps more so than other, more low-tech options available to terror groups.

There is also a concern that malware of any kind, even that created for “sport” by hackers (like many of the viruses which plague PCs) could enter the vehicle via the infotainment system and permeate safety-critical systems, whether intended or not. While there are good reasons to worry about the vehicle safety implications of car-hacking, history suggests that the connected car has more to fear from good old-fashioned theft and extortion. Picture the scene. You return to your vehicle on a cold, dark evening. Your electronic key will not open the doors or start the ignition. You receive an SMS from the criminal gang who have hacked the vehicle demanding an electronic payment of EUR 100 to unlock the vehicle. Vehicle connectivity opens up countless new opportunities for relatively low-level financial crime perpetrated on a mass scale by criminal gangs, whether the driver’s financial details are stored on-board the vehicle or not.

Look at the last 20 years of security challenges in credit cards, ATM machines, on-line banking and e-commerce. Again and again, criminal gangs have found it relatively easy to recruit talented IT experts, to share information internationally and to devise cunning methods to commit fraud and steal money from banks, businesses and their customers. Information is shared, bought and sold on the so-called dark web and new methods can be rolled out so quickly, it’s difficult for even the most responsive companies to prevent attacks.

If they are going to protect their customers’ safety and security, not to mention their own reputations, automakers and their suppliers will have to get very serious about secure hardware and software. The will need to embrace encryption. But they will have to do more than that. They will have to re-invent complex, global business systems and processes within their own organisations. From the R&D centres right on down to the dealerships, they will have to become companies which have security at their core. Remember the old cliche about the chain only being as strong as its weakest link? More often than not the weak link turns out to be human. The banks and financial institutions have always known this. They have become masters of digital security, spending billions on technology and systems and still they face a daily battle to stay ahead of the bad guys. The automotive industry has a lot of ground to cover, and not much time, to establish a secure basis for the era of the connected car.