There are great times ahead for the automobile industry. As an increasing number of manufacturers develop and switch to electric vehicles from traditionally fuelled ones, there are huge moves around battery reliability and longevity. There are exciting advances in safety features such as self-parking ability and auto-braking if a hazard appears, and the ability of a car to take its own defensive measures.
But if there is one certainty in the automobile industry, it is that vehicles will become increasingly connected, and will have the facilities to access all manner of online services to receive real-time map directions, updates to traffic situations, in-car entertainment, and personal data such as texts and emails.
Connected cars are only going to extend their connectivity and as that increases, entrepreneurs will find new and novel ways of exploiting it. Unfortunately, they are unlikely to be the only people interested in exploiting the connectivity of vehicles; hackers around the world are likely to see this new target as a huge challenge and strive to break into the systems.
Like the draw of the NASA system or breaking into Military databases, habitual hackers are likely to view new and complex systems as a challenge and worthy of hacking into. The problem with that is that to take control of a moving vehicle is incredibly dangerous and likely to end with serious injury or even death.
As well as increased connectivity in driven cars, fully autonomous vehicles are not far from being a reality on our roads, and that then creates a whole new level of potential danger if they lose control to a hacker. A number of big brand car manufacturers have made early inroads into the development of autonomous vehicles, including Google, Tesla and also the Uber corporation, whose driverless cars were successfully tested in California in 2016.
Following these tests, there are predictions that there could be as many as 54 million autonomous vehicles on the road by 2035, with the number steadily growing as driven vehicles become less popular, or are seen as inherently dangerous because of the human element. Now imagine that number of vehicles being hacked. Clearly, there has to be some defence against it.
Stay safe, stay connected
That impending situation leaves computer security experts in a quandary and with a huge task ahead of them; combat the best efforts of hackers while allowing increased connectivity and complete autonomy. This has become even more pressing since the hackers have already demonstrated that they have the skills to take over a connected vehicle with an attack on a Jeep.
In this pre-defined and organised test, two experts hired by Jeep hackers remotely took control of a Cherokee and cut its transmission on the highway as part of a research initiative for the company. The well-publicized incident prompted parent company, Chrysler, to recall 1.4 million vehicles for an update in the hope of preventing any further incidents.
The roots of cyber security
The main problem with new vehicles is the amount of electronic control units (ECU’s) that are used to enable different parts of the car and are connected via an internal network. This means that, effectively, the whole car can be accessed via some smart device that has an outside connection.
In modern cars, that tends to be the infotainment system, and it becomes a doorway for any errant hacker to gain access to the vehicle. Plainly, since it isn’t likely that customers are going to want to lose their connectivity and Bluetooth, the real defence comes from deflecting attacks rather than not having the ability to connect.
Specialist software, similar to the firewalls and anti-virus software found in PC’s can be used to protect the vehicle’s internal network as a whole. They do this by acting as a watchdog on the system and examining all network communications. From that vantage point, they can flag up any changes in the expected in-vehicle network behaviour and preventing attacks from travelling through the network.
This becomes an elegant solution since the computer system knows what it is supposed to be doing, and any variation of that is likely to be either a system fault or an outside attack. If such a state is identified, the computer can be programmed to take necessary action, including warnings, deflection, or a complete safe shutdown of the system to prevent a dangerous situation occurring. While a shutdown may be inconvenient, it is a lot safer than an uncontrollable situation.
The government view
Both the UK and US governments have already taken a strong stance towards connectivity and cyber security. In the UK, this concern has manifest as a series of principles, which include:
- Organisations must require knowledge and understanding of current and relevant threats and the engineering practices to mitigate them in their engineering roles.
- Organisations collaborate and engage with appropriate third parties to enhance threat awareness and appropriate response planning.
- Security risk assessment and management procedures are in place within the organisation. Appropriate processes for identification, categorisation, prioritisation, and treatment of security risks, including those from cyber, are developed.
- Security risks specific to, and/or encompassing, supply chains, sub-contractors and service providers are identified and managed through design, specification and procurement practices.
Basically, these principles require that the manufacturers of electronic components and software elements must be aware of the kinds of threat that could be levelled at their product and ensure that there is sufficient inbuilt security to prevent them becoming compromised. This is seen as the absolute minimum that should be undertaken to ensure complete security and negate the possibility of hacker taking control of a vehicle.
How safe are connected cars?
That fundamental question is difficult to answer definitively since car manufacturers tend to use their own in-house software which vary greatly. The experiment with Jeep proved just how exposed connected vehicles currently are, but the company has acknowledged the problem and has applied fixes to prevent a recurrence. All of that doesn’t mean that another manufacturer may not have similar issues, and real security is unlikely to be assured until connected and autonomous vehicles run a single version of software which has been proven to be completely safe and hackproof, and that could take some time to resolve.