The future is connected cars, but will they be secure?

by David Gray

09 June 2020

A person in the back of a car on their phone

As vehicles get smarter, cybersecurity in the automotive industry is a growing concern for vehicle manufacturers, OEMs and drivers.

The amount of technology embedded into connected cars creates a growing attack surface that allows hackers to exploit vulnerabilities. By doing this they can access car systems, where drivers’ personal information and their physical safety could be compromised. This isn’t the stuff of science fiction either. In 2015, for example, researchers proved that they could take control of a Jeep Cherokee remotely and send it off the road. That same year, hackers found a vulnerability in BMW’s ConnectedDrive technology and exploited the weakness to take control of vehicle functions.

A person in the back of a car on their phone

By exploiting vulnerabilities, hackers can gain access to car systems, compromising the drivers’ personal data and their physical safety

We’ve also seen attackers reuse attack techniques used in other environments (most notably Operational Technologies) so it’s not out of the question that we could see ransomware attacks on vehicles soon. The automotive industry has a unique set of challenges when it comes to security. For starters, connected cars and autonomous vehicles are highly complex, relying on over 100 million lines of code - that's more than a commercial aircraft, a fighter jet and Facebook combined. Add this to over 30,000 component parts, 30-100 Electronic Control Units (ECUs) and around 25 gigabytes of data created every hour by a connected car, and we can see that today’s car is a sophisticated computer than needs securing, patching and updating regularly.

A fragmented supply chain adds further complexity

Then there’s the supply chain, which is highly fragmented with hundreds of suppliers each producing component parts and ECUs to their own standards and patch specifications. And, even if the individual component is robust, poor integration can lead to vulnerabilities.

A car in a factory workshop setting

Manufacturers will look to its supplier ecosystem to share the responsibility for security

With the introduction of 5G networks, automotive manufacturers now have a much more robust means of updating vehicles ‘over the air’. What the traditional IT industry has faced for years with patching is going to become a reality in the automotive sector. Vehicle updates and patches can be deployed without visiting the dealership.

Manufacturers will look to its supplier ecosystem to share the responsibility for security. Traditionally, they specified exactly what they expected suppliers to produce, but thy only vaguely specify cybersecurity requirements and are unlikely to mandate the use of specific standards or frameworks.

Plus, suppliers have been reluctant to invest in creating their own standards in case the manufacturer mandates a different one. (There’s an exception to this rule with VW announcing recently it’s to create its own centralized operating system across all 12 VW Group brands. This will see them establish a common single software stack for everything from instrument displays and infotainment, to powertrain and chassis management).

Ensuring every component is secure by design

It’s a stalemate situation that cannot continue if security is ever to be part of the design stage of a vehicle. The manufacturer ‘as the final assembler of all component parts’ needs to take responsibility for ensuring that third-party systems are also secure by design, and systems don’t become vulnerable when connected.

Standardization of automotive cyber platforms can only be good in the long run for auto-industry cybersecurity. The connected car is going to make itself indispensable for owners. By making journeys easier (such as avoiding jams automatically) and without having to visit the dealerships for software upgrades, the ownership model will become easier. In the future, there will be the move to full automation, which is likely to have more of an impact on how we use our vehicles. If we are removed from the pleasure of driving, would we want to own a vehicle? If we then move to an autonomous lift-share model, do we consent to our data being stored on every vehicle we use? And, is there going to be a facility to remove that information when we step out of the vehicle? There are plenty of issues that are going to start to crop up that people aren’t considering at the moment.

David Gray

David Gray

Senior Manager, Global DFIR, Security Operations & Intelligence Practice