In May the Consumer Technology Association reported on Connected Car Security, describing modern vehicle electronics as a “Honeypot for Hackers”(1).

They’re right.

The CTA reporting described key issues including Hardware Security Modules (HSM) and isolated/separated buses for car-critical systems (engine control, braking, steering, etc.) versus entertainment systems, the inherent vulnerability of wireless connectivity systems, a legacy of an industry focused on “safety” meaning parts failures rather than hacking, and developmental cycles that put any approach to improvement 3 to 5 years out into the future. In the end it highlights the growing awareness of the need for a more holistic approach to vehicle system security.

And well they should.

So far during the first half of this year we have seen news stories describing electronic systems vulnerabilities in Audi, BMW, Lexus, Mitsubishi, Nissan and Toyota cars. There may be more we have not yet seen.

These vulnerabilities have ranged from internet access allowing un-authorized remote control of a car’s climate control systems (2), to local wi-fi hacking of a vehicle’s security/alarm systems (3), to home-baked radio hacks to unlock doors and start cars with keyless door/ignition systems (4), and even include faulty Over-the-Air (OTA) software upgrades that caused navigation and climate control systems to mis-behave (5).

It’s been a busy half year, with ample evidence that “there are still a few bugs in the system”.

In our view:
– HSM is not enough
– Separating buses is not enough
– Intrusion detection is not enough
– No fix to one specific component, one sub-system, or one threat scenario will be enough

A system level architectural approach is needed, which takes into account hardware in the vehicle, services in the cloud, qualification of apps, sources of data, and mechanisms of rolling out updates to vehicles.

And more.

It is not just a question of technologies, but of behaviors and discipline. No one company can do it all. It will require cooperation among many participants, an approach that may seem as alien to the automotive industry as it does to the electronics industry.

 

Notes:
(1) “Connected Car Security” by Robert Calem (https://www.cta.tech/i3/Features/2016/May-June/Connected-Car-Security.aspx dated 16 May 2016)
(2) “Nissan disables Leaf app after car hack risk revealed online” by Leon Kellian (https://www.bbc.com/news/technology-35660641 dated 25 February 2016)
(3) “Mitsubishi Outlander hybrid car alarm ‘hacked’” (https://www.bbc.com/news/technology-36444586 dated 6 June 2016)
(4) “BMW, Audi and Toyota cars can be unlocked and started with hacked radios” by Cara McGoogan (https://www.telegraph.co.uk/technology/2016/03/23/hackers-can-unlock-and-start-dozens-of-high-end-cars-through-the/ dated 25 April 2016)
(5) “Faulty update breaks Lexus cars’ maps and radio systems” (https://www.bbc.com/news/technology-36478641 dated 8 June 2016)