Where we are with the Connected Car
Automotive security is roughly in the same state that the internet was before the dot-com boom, where openness and the ability to communicate was important but security was really just an afterthought. This philosophy turned out to cause all sorts of problems when business moved to the internet, and we’re still recovering from what, with the benefit of 20/20 hindsight, looks like a very bad decision.
Even the least expensive cars have a couple of dozen computers that control their functions. In more expensive ones it’s not uncommon to have a network of over 100 computers that control various aspects of the vehicle’s operation. And all of these computers are networked together using the same philosophy that the pre-dot-com-era internet did. And because this network is so open and trusting, if a hacker gets access to a vehicle’s network, it’s easy for them to upload very malicious software. Like software that might tell the car to lock the left front brake when the speed reaches 80 mph. And because these networks are so trusting, they’ll cheerfully accept those instructions and carry them out. That’s potentially very bad. Any of the dozens of computers that control operation of a car can easily be subverted in this way.
On the bright side, it does take getting access to a vehicle’s network to do this. On some cars this is very easy. All three of my cars have a USB port under the dashboard that you can expose that makes it easy for hobbyists to implement modifications or enhancements to their vehicles. Other manufacturers make it more difficult. But because technicians need access to this network to perform maintenance on vehicles, getting access to it is never really that hard. Although it does require physical access to the vehicle to do this.
The Wireless Connected Car
But now we’re adding wireless connectivity to vehicles. And if we’re not careful, that will make it possible for hackers to remotely get the same level of access that they once needed physical access for. That’s potentially very bad, particularly if it’s not done carefully and securely. So if cars end up connected to the internet, it may cause a huge security problem. And the potential risks are significant. It’s possible to roll back most financial transactions so it’s possible to recover from many hacks of the financial system. But if a malicious attack on a car kills or injures someone, that’s harm that can’t be rolled back.
There are some systems that use very strict and secure coding practices. Nuclear reactors and commercial aircraft are two examples of this. It might be the case that because the risks are so great that automobile manufacturers should consider adopting similarly robust practices. On the other hand, that increased level of robustness isn’t cheap. As a society, we seem to think that it’s worth the additional cost to get a higher level of reliability for multi-million (or even billion) dollar nuclear reactors and commercial aircraft, but it’s not clear that consumers would be willing to pay for the additional technology that would keep cars equally robust. But this seems like a discussion that we ought to be having before unnecessary deaths or injuries from hacked cars result in laws or regulations that might not be as useful as ones that could be carefully and thoughtfully written before such incidents happen.
IoT Security Frequently an Afterthought
Situations such as the Mitsubishi Outlander and Nissan Leaf hacks demonstrate just how easy it is to decipher the communication between the car and the back end, and is yet another demonstration on how security frequently becomes an afterthought for companies not accustomed to the broader issues surrounding the Internet of Things, or IoT.
It was widely reported in the Nissan case that an app that connected with the car could be hacked by using only a car’s vehicle identification number (VIN) and then used to take control of the car. Obviously more security is needed. For example, the HIPAA regulation in the US clearly identifies a serial number as sensitive data that must be protected with encryption. The VIN is also a form of a serial number uniquely identifying a car and should be treated as sensitive data. Using today’s technology this can and should be encrypted to minimize risks. With Format-Preserving Encryption (FPE), applications can be enhanced quickly to encrypt the data without changing its appearance as it still would appear as a VIN however no longer a real one.
An innovative, and effective, solution is to bake data-centric security–with FPE–into IoT devices such as connected cars, to make cyber attackers far less likely to gain control over systems and the data in the back end. This approach at the same time enables compliance with ever more stringent data privacy regulations such as the new General Data Privacy Regulation (GDPR). In addition, proper testing against attack vectors for connected IoT devices and apps for cars should also be high on the list of functionality for any company using connected IoT devices.
About the Author
Luther Martin, HPE Distinguished Technologist, is a frequent contributor to blogs and articles. Recent articles include White-box Cryptography in the April ISSA journal, Learning how to encrypt healthcare information on the HPE Security Blog, and Blockchain Explained on the Voltage.com blog. He will be delivering a session on Format-Preserving Encryption (Session ID B9843) at HPE Protect in September. This blog was written in a car dealership while having the intake fan for a turbocharger inspected as part of a recall program.