John Smith, principal solutions architect, Veracode, discusses why the connected car poses a significant challenge to the global car industry.
Driverless cars are truly on the British agenda. In the last Budget alone, the Chancellor outlined that trials of driverless cars on the strategic road network would be conducted by 2017, as well as that doctoral loans would be introduced to make the UK a centre for connected and autonomous vehicles.
This industry is booming globally. New research, carried out by International Data Corporation (IDC) and commissioned by Veracode, predicted the total market for automotive-related Internet of Things would be worth $140.3 billion in 2016. And aside from the vehicle manufacturers themselves, we’re seeing increased competition for market share from software companies and component manufacturers, such as Google and Apple.
While every automotive and technology company fights for a piece of success, concerns around the deployment of connected cars are never far off. As a greater number of elements within the car become connected, so too do the number of potential threats increase.
The cyber threat to automotives
The risk is true of all devices that are equipped with Internet access. It lies in the software which runs them and the network connections the device has with external data sources, such as cloud-based applications or other connected vehicles. Just like before computers were networked, they used to be fairly safe, except for viruses transferred via physical devices like floppy disks, so therefore connecting vehicles to a global network will introduce similar security risks.
The biggest dangers posed to connected cars are from software vulnerabilities in the network connections that cars are increasingly making – and this threat isn’t unique to driverless cars. Indeed, cyber-attacks and software vulnerabilities are on the rise across all sorts of devices; the number of events has risen 66% every year since 2009.
The risk itself comes from attackers attacking and exploiting the software-driven functions from vulnerable mobile apps or web interfaces. The recent Nissan Leaf vulnerability and the hacking of Jeep Cherokee on an American highway clearly demonstrated, behind the massive potential of driverless cars – in terms of both innovation and productivity – these significant concerns.
A further significant concern is that it is increasingly important that connected cars become and ‘app platform’ in themselves. This means that 3rd party apps will need to be able to be installed in the cars systems, but when designing their security measures the manufacturers will have no advance knowledge of these apps.
And despite the government and industry push to get these connected vehicles on the road, there is no immediate response to these security fears. Indeed, leading vehicle manufacturers, interviewed as part of the IDC report, predict a security lag of up to three years before application systems catch up with cyber threats.
Tackling complacency
There is no question that for government and manufacturers, driver and passenger safety is of paramount importance. To support them, the security industry must work closely with the automotive industry to ensure that every connected vehicle on our roads is safe from malicious actors.
Based on IDC’s research, it seems that manufacturers of connected cars are taking the approach of completely separating the infotainment systems from any driver functionality, to ensure that there is no link between their applications. This should help to reduce the chances that a third party app could have an impact upon driver safety.
Perhaps more challenging is the question of whether the manufacturer should assume responsibility and even in some cases liability for the entire car ‘package’, regardless of what third-party applications or software has been since downloaded onto the car by the user.
Greater debate and clarity is clearly needed before the right approach can be agreed. The IDC report revealed that drivers are currently unclear on where the responsibility lies for securing connected car applications. When drivers were asked who they believe should be held liable if they downloaded an insecure app that resulted in a vulnerability in their car, the majority of drivers (40pc) held themselves to account, while a fifth (20pc) held app developers and manufacturers liable, and 17 per cent blamed the app store.
Clear regulatory standards must be introduced to ensure car manufacturers, technology vendors and drivers all know exactly where they stand on vulnerability issues. With the fast evolution of technology, the government continues to play catch-up on developing forward-looking legislation for many aspects of the industry. However, with an ever-growing number of connected vehicles hitting our roads, it’s important that we tackle this issue now, before an incident obliges it.
But no matter at what stage liability is assigned, it is essential that application security testing plays a key role in securing all the software and devices in the connected car. For the cost of a connected car breach may not merely be money or brand damage, but someone’s life. It is, therefore, essential that technology vendors and car manufacturers work closely with the cybersecurity industry to ensure that no element of their connected car introduces risk to security and safety.
