Safety first: managing security in the connected car

Connected cars offer many potential benefits, and car manufacturers appear to be committed to them as the cars of the future. But security issues still concern consumers: how will the industry manage these?

IHS Markit has predicted that by 2023, worldwide sales of connected cars will reach 72.5 million units, up from 24 million units in 2015. This means that in about four years’ time, 69% of passenger vehicles sold will be connected, digital technology-powered and exchanging data with external sources in real time.

What security issues exist?

There are all manner of security issues and challenges being faced by connected cars, not least that because they are connected, they can be hacked into and controlled remotely. This seems quite a fundamental security element of car ownership really – you don’t want anyone with a rudimentary knowledge of hacking to be able to access your car’s systems and take control of it. For example, earlier this year a team of hackers compromised the key fob of a prominent electric car using just $600 worth of radio and PC equipment. They opened the door and drove away.

Perhaps more serious than that, connected cars can be hacked into and controlled remotely. This has been demonstrated on a number of occasions by white hat hackers, as far back as 2015 in fact. Two hackers took control of a self-driving SUV, in which a Wired journalist was traveling, and proceeded to toy with the air conditioning, radio and windshield wipers, eventually shutting down the car’s engine and forcing the driver to a stop at the side of the road.

Similarly, in 2018, researchers uncovered a bug in a misconfigured server that gave them pair access to back-end systems of Internet-connected vehicle management systems provided by Viper SmartStart, enabling them to theoretically locate vehicles via coordinates, reset passwords, unlock side doors, disable alarms, start engines and ultimately steal vehicles. 2016 saw hackers unearth vulnerabilities in the entertainment systems of connected Volkswagens and Audis, through which they could remotely seize control of infotainment dashboard microphones and even the cars’ navigation systems.

The data and privacy factor

Because it is connected to the Internet, a car’s data trail is also open to snooping by malicious actors. Connected cars have become part of the data journey by default and are connected to people, other vehicles, homes, offices, stores, smart city services and more. That means they are repositories of personal data, including location-based information about where the driver and passenger has been, plus also other data that you might use in your car, your email, or Google searches, or social media. You are in a computer on wheels after all.

The car being a source of data also presents the possibility for owners of second-hand cars being able to access all the data the previous owners of the car generated, if the car is not disconnected, or “unbound,” by an official dealer. It also raises the issue of data protection lawsuits being issued to car owners and car manufacturers.

Car manufacturers are naturally keen to develop their connected offerings, to give customers in-car experiences based on things like software as a service (SaaS) and recurring subscription revenues as consumers purchase services through in-car apps. But they will need to have privacy policies in place and robust security architectures that many of them simply do not seem to have as yet.

The security issues and data concerns are certainly real and have even prompted some industry insiders and commentators to ask: if connected cars are such a potential security liability, are they really worth the effort?

In an article in the FT, Dan Sahar, Vice President at Upstream Security, which monitors cyber-attacks on connected cars, reports that 2019 has already seen 71 car cyber-attacks compared with 73 for the whole of 2018. “Now that cars are more connected, with technologies such as Wi-Fi and 3G, 4G and 5G, hackers have multiple ways to get in,” said Sahar. Clearly, car manufacturers need to make security a bigger priority than they perhaps previously thought.

What can manufacturers do about it?

According to the KPMG Cyber Consumer Loss Barometer, 82% of consumers would be wary of buying a car from a car manufacturer if they had been hacked – this is the kind of landscape manufacturers have to address and mitigate. But how should they go about it?

It starts with making the case for connected cars, re-emphasizing their benefits, and then moves on to a roadmap for security. Here are four key steps:

1. Emphasize the overall benefits of the connected car. Connected vehicles can help prevent crashes, reduce traffic congestion and have a positive impact on the environment through lower carbon emissions. Beyond that, there are personalized owner benefits to highlight, including greater convenience, easier maintenance via insights and in-car entertainment options.

2. Understand the various types of cybersecurity risks and threats. In the U.S., the National Highway Traffic Safety Administration has identified four areas of risk associated with cyberthreats around connected car data: privacy and security, fraudulent commercial transactions, non-safety operational interference and safety-related operational interference. As mentioned previously, this relates to accessing the car owner’s, driver’s or passenger’s personal data, right through to the passenger/driver losing actual physical control of the connected vehicle. Car manufacturers need to understand these cyberthreats and put in place appropriate and effective security measures address them.

3. Plan and implement an end-to-end security approach. There are more in-car connection points than ever before, from connecting to the cloud to communicating with the car manufacturer’s servers to streaming in-car entertainment for passengers. This creates more potential security vulnerabilities that hackers can exploit. Manufacturers need to put a layered, end-to-end security methodology in place to minimize these risks. Layered means addressing potential security risks in the vehicle layer itself, the back-end and cloud layer, and the network layer, all points along the data journey where the car’s data could be vulnerable.

4. Think partners and ecosystem. If car manufacturers want to address the very real security concerns of connected cars, they need to collaborate with qualified expert partners. As connected car functionality grows and becomes more complex, the interdependence between the vehicle and network connectivity will increase at the same time. Car manufacturers need to work with network providers, telecom companies, security specialists and government regulators to design an end-to-end security approach.

Connected cars mean that a car is now much more than “just” a way of getting around: it is a data-generating and transmitting computer on wheels, and that will make it a target for malicious actors. As time moves on, car buyers will become more and more aware of the privacy and security issues around connected cars, and the onus will be on car manufacturers to reassure them they are doing enough about cybersecurity.

Read about our capabilities in the automotive sector, and why companies like Hertz, Konetik and Octo Telematics partnered with Orange for security connectivity to their cars.

Steve Harris

I’ve been writing about technology for around 15 years and today focus mainly on all things telecoms - next generation networks, mobile, cloud computing and plenty more. For Futurity Media I am based in the Asia-Pacific region and keep a close eye on all things tech happening in that exciting part of the world.