Connected cars: Are tomorrow’s drivers at risk?

The Internet of Things (IoT) aims to enhance the way we engage with devices around the home and we are now beginning to see the growth of this technology reach our driveways. Specifically, our automobiles. According to IHS Automotive, within five years there will be 152 million vehicles connected to the Internet via mobile apps that are now available with some car models. These apps can control your vehicle’s climate systems to providing Wi-Fi “hotspots” for mobile Internet access within the vehicle.

However, the growth of connected cars has raised some concern. Following the hacking trend directed at IoT devices in the household, the question is being asked: How safe is the public from hacked automobiles?
Imagine this scenario: you’re driving along a busy highway when without warning, your car’s brakes or steering wheel locks up. Or, you slow down as you approach a traffic light and your vehicle starts accelerating. Is this possible? If so, would this affect the car industry with determining culpability? Furthermore, what does this mean for public safety?

As more automobiles connect drivers and passengers with onboard systems, the more similar these systems are to mobile computers and this evolution could very well carry hacking over to our cars. Just recently, the Operations Chief for Apple Computers, Jeff Williams, alluded to Apple’s interest in the automotive market stating, “…the car is the ultimate mobile device…” This statement shows how attractive the automobile industry is to technology companies.

The more that vehicles are equipped with technology, however, the greater the increase for vulnerabilities. During a security conference in the summer of 2014, students from Zhejiang University successfully hacked into Tesla’s Model S and were able to open its doors and sunroof, switch on its headlights, and engage the vehicle’s horn – while the car was in motion. The Tesla brand is not unique in this regard. Numerous examples and exploits have been recently published on the hacking of vehicles.

In February 2015, U.S. Senator Edward Markey, from Massachusetts, released a report that discusses how vehicles may be vulnerable to hackers and how driver information is collected and protected. Some of his key findings state that nearly 100% of cars on today’s market include wireless technology that could pose an opportunity for hackers and that most automobile manufacturers weren’t aware or were unable to report on past hacking incidents. Senator Markey is so concerned that he and Senator Richard Blumenthal, from Connecticut, have proposed legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure automobiles from hackers.

This threat doesn’t stop at traditional autos. It was recently reported by Consumer Affairs that driverless cars may also become vulnerable. Predicted to roll out to the roads of America by 2020, self-driving cars will be outfitted with various sensors to navigate through different environments. If a hacker were to remotely access one of its sensors, such as LiDAR (light detection and radar), which helps avoid obstacles, the vehicle could be forced to accelerate into the object in its path instead of yielding or stopping.

Most of the software leveraged by car manufacturers is well known and consists of open systems, making the programming and networking standard. Therefore, not only do we see how low the barriers of protection are for hacking into an automobile, but the threat landscape is quite hospitable for attackers. Once you add motive, such as retaliation, this may provide a whole new category for destructive delivery devices.

If car manufacturers are going to heavily promote the online/connectivity capabilities of their vehicles and use those features as a means to drive purchase, there needs to be a heavier burden to lock down those products. The most exposed products that hackers will concentrate on will be the ones that are most likely to have online features activated by the user. Unfortunately, the average consumer is not adept at configuring security on the product beyond what is in place. In the end, closed and proprietary software systems need to be implemented by manufacturers of connected products.

The pressure to dramatically increase security in a product offering is, of course, not entirely new. As more products become connected, we see vendors delay product shipments in order to ensure they are offering the latest security solutions to expectant customers. We’re also in the age of technology companies who offer free, official OS security software – these solutions were previously offered only by third parties, to varying degrees of success and at a high cost. There’s no doubt that in the world of connected services and products, the first step of security comes from the vendor. In this case, it’s one more thing that car manufacturers must ensure they address.

For instance, it’s important that manufacturers ensure connections to cars, such as Bluetooth or Wi-Fi, don’t allow the user to reach control of powered operational functions. This can be accomplished at the most fundamental system layer, ensuring that control of powered functions is isolated from other systems. In cases where specific connections and exchange of data may be essential, manufacturers can work to implement systems where command input or data flow is only possible in one direction. Additionally, various proprietary measures can be put in place to ensure software cannot be rewritten or tampered with while in use.

As we enter a new era of connected transportation, there’s no question that a new threat arises and a new responsibility falls on manufacturers, vendors and legislation to help protect not only the consumer, but also the general public. The faster vehicle manufacturers begin to integrate cyber safety testing into the R&D process and the faster the government steps up to pass stricter car safety laws, the safer our future roads and public at large will be.