The reality of hacking threats in connected car systems

With the integration of sophisticated technologies like over-the-air updates and increased data connectivity, cars are no longer just modes of transportation but also hubs of personal and operational data. This shift brings forth unique cybersecurity challenges, ranging from hacking and data theft to safety hazards resulting from potential system breaches.

In this Help Net Security interview, Ivan Reedman, Director of Secure Engineering at IOActive, discusses how manufacturers, government regulations, and consumers are adapting to these new challenges.

How has the rise of connected vehicles transformed the landscape of automotive cybersecurity?

The automotive industry faces new cybersecurity challenges as vehicles become more connected. Connected cars are more exposed to cyber threats such as hacking and data theft. All parties in the manufacturing supply chain should follow key principles for vehicle cybersecurity, such as organizational security, risk assessment and management, and product aftercare and incident response.

Connected vehicles also use new technologies such as over-the-air updates, which enable remote software updates. However, this also exposes the software to hacking, which can pose serious safety hazards.

All parties in the manufacturing supply chain must ensure that vehicles are secure from cyber threats. Several standards have been created to help set a global standard for vehicle security, such as:

UNECE WP.29 Cybersecurity Regulations: These regulations define a framework for identifying and managing cybersecurity risks in vehicle design, verifying risk management, keeping risk assessments updated, and monitoring and responding to attacks.

ISO/SAE 21434: This is a standard for cybersecurity engineering of road vehicles that guides how to implement cybersecurity in the vehicle development process.

What should consumers know about the cybersecurity risks associated with new cars?

Connected cars pose new cybersecurity challenges for the automotive industry. As cars become more connected, they are more exposed to cyber threats like hacking and data theft. Consumer expectations for vehicle functionality have also led to similar development practices as consumer technology, such as frequent bug fixes and feature rollouts that may not be fully tested. There have been news reports of some serious “features” not working or malfunctioning after updates.

Some of the main cybersecurity risks for connected cars are remote hacking and data privacy concerns. With remote hacking, hackers will attempt to access a vehicle’s systems remotely without permission. They may be able to control or influence critical functions, such as braking and steering. The vehicle architecture and the system implementation will determine how well the breach is contained to non-critical systems.

However, poorly designed or implemented architectures will offer little protection in a full breach, allowing hackers to move from non-critical systems like the infotainment unit to critical systems like brakes or steering. On the data privacy side, connected cars collect a lot of data, which raises concerns about how this data is stored, used, and protected. Hackers can access this data and violate privacy or even steal the consumer’s identity in some cases.

Consumers should be aware of these risks and protect themselves. One way they can do this is by keeping their vehicle’s software updated and using strong passwords for any connected services to reduce the risks of connected cars.

How do infotainment systems in modern vehicles pose cybersecurity risks?

The modern vehicle infotainment system offers and uses various connectivity options like wifi, bluetooth, usb, or cellular. These systems expose many interfaces that hackers may be able to exploit to access and control vehicle functions remotely, endangering human safety. Infotainment systems also store personal information, such as personal contacts and location data, which can attract cybercriminals. The vehicle architecture determines how well the critical systems are protected from such breaches. Good architecture is designed to isolate the non-critical systems from the critical ones, while a bad architecture or implementation does not.

The criterial for standards development (CSD) of the Institute of Electrical and Electronics Engineering (IEEE) has found several security flaws and vulnerabilities in current telematics and infotainment systems. One of them allows for the possibility of attackers to send arbitrary controller access network (CAN) messages that affect safety-critical systems in the vehicle and as such the CSD suggests separating the telematics/infotainment actions from the CAN bus communication functions to prevent this.

Consumers must understand that a vehicle’s functionality can have serious safety impacts if not implemented securely. Vehicle manufacturers vary in their security standards and practices, which makes standards such as ISO/SAE 21434 and regulations such as UN155/156 more important.

How are automotive manufacturers adapting to comply with evolving cybersecurity standards?

Automotive manufacturers are adopting new processes and technologies that meet the changing cybersecurity standards to keep their vehicles safe from cyber threats. For instance, the International Standards Organization (ISO) and SAE International have issued a joint standard for automotive cybersecurity engineering, which outlines a systematic process to integrate cybersecurity into the vehicle design.

Moreover, the United Nations Economic Commission for Europe (UNECE) has enacted new cybersecurity regulations for vehicles, mandating manufacturers to get a Certificate of Compliance for the cyber security management system (CSMS). This certificate is granted by an approval authority or its technical service and lasts for three years. The CSMS must encompass the development, the production, and the post-production stage.

Automotive manufacturers are also using new technologies such as over-the-air updates, which enable them to update software remotely. However, this also exposes the software to hacking, which can pose serious safety hazards. To prevent this, manufacturers are applying new security features such as secure boot, which verifies that only authorized software is loaded onto the vehicle.

Cybersecurity compliance is a key theme for automotive manufacturers looking to implement new processes and technologies into their fleet but also helps ensure that their vehicles are secure from cyber threats. These standards and regulations can reduce the risks related to connected cars and safeguard their customers from cyber threats.

What are the main challenges in managing cybersecurity across the automotive supply chain?

Vehicles are made of components from various vendors, who may have different security standards and practices across different regions and cultures. Without clear and strict security requirements from the vehicle manufacturer, and thorough testing to ensure compliance, the vehicle’s security posture will vary across its components.

One of the major supply chain risks for the automotive sector is the infotainment systems and connectivity technology provided by software vendors. Consumers want new and better features, which means constant integration of infotainment and connectivity functions. These functions introduce new vulnerabilities. The biggest automotive cybersecurity challenges for the next two years are connected vehicles, over-the-air software updates, and vehicle-to-vehicle communication.

How are government regulations shaping the automotive sector’s cybersecurity approach?

The UNECE has issued new regulations that mandate original equipment manufacturers (OEMs) and their suppliers to adopt comprehensive cybersecurity solutions to prevent and counter cyberattacks. The regulations cover four aspects: cyber risk management, vehicle security by design, detection and response capabilities, and secure software updates without compromising vehicle safety.

The regulations are expected to take effect from July 2024. Like other EU regulations, they will have a global impact as the EU is a large market for vehicle makers. Several ISO/SAE standards have been created to address cyber security threats, and following these standards will help automotive manufacturers comply with various government regulations around the world, both existing and upcoming.

What emerging cybersecurity threats should the automotive industry be prepared for in the near future?

The risk to human life resulting from a vehicular hack is the most serious concern and emerging threat to the automotive industry, followed by data theft.

While both are a constant threat, vehicle autonomy brings new and evolving challenges in terms of safety and responsibility for data theft. Who should be held accountable if an autonomous vehicle causes an accident? The driver, the car, or the manufacturer? Different legal systems have different answers to this question, and it has implications for financial liability.