The rapidly developing world of self-driving cars will create an entirely new form of life in major cities across the world: Cars will be able to interact with each other and with their surroundings, creating massive amounts of data that can help solve traffic problems or, analyzed incorrectly, make everything worse. And don't get me started on the security problems.
Cloud Security Alliance is on the job: Their Internet of Things (IoT) Working Group has just release the first-ever research report on connected vehicle security. In addition to outlining almost 20 different attack vectors and their impact on a driver or vehicle, the report offers plenty of recommendations for how to best secure a connected vehicle in an environment full of them. The report is just out today. Here are the highlights.
The Risk Factors
CSA sees four main predictions about the connected vehicles (CVs) of the future:
- CVs will operate while communicating with both legacy and modernized traffic infrastructures and their sensors.
- Traffic Management applications and vehicles will interact with cloud services using a mixed set of transport protocols (RF/ WiFi, etc).
- OEM and 3rd party applications will be installed on vehicle platforms and traffic infrastructure components to provide enhanced capabilities.
- CVs will integrate with the IoT ecosystem to support vehicle integration with smart homes and smart businesses.
The bottom line: A fully connected IoT future is practically a sure thing, and that means cars will have far more security concerns. It's easy to mess up and tough to get right.
Emphasize Open Standards
New car features can allow owners to start their vehicle remotely, track its location, and even ask it to give information about its last trip. To properly secure these abilities, car tech should operate on openly acknowledged standards that will allow everyone to enjoy the benefits of quality control.
“The tie-in to a product like the Amazon Echo means that a consumer can, in some circumstances, start his or her car with a voice command to a smart home product. Locking down this command and control capability across all of the disparate components involved — smart home product, mobile app (x2), communications channel, vehicle platform — should be a focused and coordinated effort on behalf of the automobile and tech industries, with an emphasis on open standards.”
CV tech has already been studied by researchers, the report notes:
“1.4 million cars and trucks were recalled by Fiat Chrysler in June 2014, followed by the recall of an additional 8,000 Jeeps (2015 Renegades) due to address remote hacking concerns. Fiat Chrysler is not the only car manufacturer having experienced hacks of their CV ecosystem: in August 2015, researchers managed to take control of a Tesla Model S and turned it off at low speed. Fortunately, Tesla quickly and remotely delivered software updates to fix the issue. In September 2016, a remote attack was discovered through the Tesla Bug Bounty Program.”
The report gets deep into the weeds, offering a comprehensive list of the specific pain points a CV developer should be aware of in order to keep the future of our road relatively secure.
Could the potential security problems be basically what happened in the last Fast and Furious movie, when a hacker took over hundreds of cars in the middle of New York City? Probably not. But let's not even get close to that.