One unfortunate side effect of our increasingly interconnected world is the frequency with which we are susceptible to cyberattacks. If you’ve read the news recently, chances are you’ve heard about all manner of devices being vulnerable to attack. Routers have been hacked to enable the spread of dangerous botnets. Smart home systems, including doorbells and cameras, have been compromised. Last year, the FDA even had to issue a warning that home insulin pumps could be targeted by attackers.
Despite these constant revelations, there are still plenty of connected devices whose vulnerabilities remain widely underreported. Most people are aware that their laptop or their router could potentially be compromised, but how many think about the fact that their car is likely connected to the internet? The idea that IoT-enabled vehicles could be targeted by hackers isn’t science fiction — it’s reality. As more and more vulnerabilities are revealed in today’s connected cars, the necessity for stronger protections has become even clearer.
A Serious, Proven Danger
Any connected device represents a potential target for would-be attackers, but vehicle hacks represent a particularly dangerous type of cyberattack. The reasons are simple: While a compromised router, smartphone or other device might inconvenience the user or result in the loss of money or personal information, vehicles are, by their very design, large, fast and dangerous. A compromised car doesn’t just risk the driver’s personal information — it potentially risks the lives of the driver and everyone around them.
This is not idle speculation. In 2015, researchers demonstrated that they could use a zero-day exploit to remotely “kill” a Jeep on the highway, bringing it to a full stop. They were able to wirelessly take control of not just the Jeep’s braking and acceleration, but its steering, dashboard functions and other features, leaving the driver helpless.
It wasn’t the first time these researchers demonstrated an exploit of this type: They performed a similar experiment with a Ford Escape back in 2013. Thankfully, both the Ford vulnerability and the Jeep exploit were discovered before serious damage could be done by attackers, but their existence served as a wake-up call to the industry.
Jeep and Ford are not alone. Tesla, an auto manufacturer generally perceived as being on the forefront of technology, had its Model S compromised by Chinese hackers last year. The cybersecurity researchers were able to “trick” the vehicle’s autopilot into swerving into oncoming traffic, and although the simulated attack took place in a controlled environment, it demonstrates one of the more terrifying possibilities associated with vehicle hacks.
Chinese researchers have demonstrated similar vulnerabilities in Tesla vehicles before: In 2016 and 2017, they accessed the brakes, door control, lights and other features of a Tesla Model X. What makes this especially concerning is that electric cars use a considerable amount of software to regulate energy usage, and a destructive hacker targeting electric vehicles could produce dangerous results.
Organizations like Consumer Watchdog have begun to take notice of this issue. A report issued last year revealed that a fleet-wide cyberattack launched on connected cars during rush hour traffic could result in catastrophic loss of life, with casualties numbering in the thousands. The group challenged automakers to end the practice of connecting safety-critical systems to the internet, even urging Congress to intervene if the manufacturers themselves are unwilling to act.
Increased Emphasis On Cybersecurity Is A Must
When considering the potential dangers of a vehicle hack, it’s important to remember that a savvy hacker doesn’t even need full control of the car to potentially cause loss of life. Obstructing the driver’s view by continually spraying wiper fluid or distracting the driver by suddenly blasting the stereo might be enough to cause a serious accident. With this in mind, there are countless systems within any car that might be viewed as “safety-critical.” Rather than disconnect these systems from the network entirely, manufacturers should instead focus on increasing their security, thereby making it harder for their vehicles to be targeted.
A recent report by BIS Research valued the automotive cybersecurity market at $1.26 billion in 2018, with an expected 14.25% compound annual growth rate between 2019 and 2029, indicating that the gravity of the issue will lead automakers to take security more seriously. Gaining additional visibility into the supply chain will be a key aspect of this, as worldwide standards ensuring the security and authenticity of connected devices are practically nonexistent. Without assurances that components being installed in a vehicle are secure, vehicles could potentially be compromised before they are driven off the lot.
Features like secure boot and certificate-based authentication are becoming increasingly important within the automotive security world. Technology designed to authenticate a given device and ensure that it has not been tampered with can go a long way toward ensuring that vehicles and their individual components are safe. A valid certificate essentially says, “It is safe to connect to this device,” and third-party public key infrastructure (PKI) capable of authenticating a large number of devices is essential for vehicle manufacturers. Secure boot ensures the firmware on a vehicle ECU has not been tampered with.
Many in the transportation industry have already begun to adopt this technology. AeroMACS technology, a standard in the aviation industry, utilizes PKI certificates, which have proven highly effective. (Full disclosure: Sectigo has advised the WiMAX Forum on how to implement PKI within the AeroMACS standard.) Strong support and life cycle management plans are also vital. As new vulnerabilities emerge, manufacturers must support their vehicles in use with patches, software updates and other critical measures.
Safety And Trust Go Hand In Hand
The unfortunate truth is that cyberattacks are simply not always “solvable” problems. It is inevitable that hackers will constantly attempt to stay one step ahead of defenders; likewise, it is up to security teams to devise new and innovative ways to stop them. This is as true for the automotive industry as it is for every other sector. But by recognizing the problem and establishing a strong plan for authenticating devices and components, ensuring that they have not been compromised and effectively managing their life cycles, car manufacturers can help ensure that their vehicles remain both trusted and safe.
