Nathanael Mohammed, Technical Writer, Security Compass
Shahrear Iqbal, Security Researcher, National Research Council Canada
Modern vehicles contain more technology and more lines of code than ever. The perception of a car from the future may be one that drives itself, and while autonomous vehicles are still are on the horizon, the vehicles of today are futuristic in their own right. Today’s cars are becoming more like computers that are designed to integrate with our lives by forming highly connected ecosystems that communicate with the Internet, other devices, and various internal systems. Today’s modern car is the connected car.
With our vehicles in the middle of these communication streams, how are they being protected? Do we need to install anti-virus and anti-malware software? Is the onus on the driver or the manufacturer to protect vehicles from the consequences of being so highly connected? These are questions consumers may not be asking yet, but as cybersecurity comes to the forefront of software development, the rolling computers we drive every day will need to reflect that same ideology: unless connected vehicles are developed with security by design, we all risk the repercussions of cyberattacks.
In fact, the automotive industry is already known to be rigorous for creating fault-tolerant software compared to other software companies. However, vehicle components now include interconnected hardware, software, and communications that make up the infotainment, telematics and Advanced Driver Assistance Systems (ADAS). It’s natural that consumers would value safety in their vehicles and the industry addresses that; however, there is a gap between the measures developed for vehicle safety and those for vehicle software security.
A multitude of interconnected components makes up the modern-day connected car.
To put this into perspective, secure software development for connected cars is still in its infancy. Although the cybersecurity risks in vehicles have always existed, they are only becoming problematic now. For instance, in the past, car manufacturers justifiably invested heavily in reliable and fault-tolerant systems to address high-risk issues rather than low-risk issues, such as data privacy. Even though a vehicle had always collected information on its passengers, they collect even more now, and that information was never at risk of theft until the vehicle became connected to a network — and like with all plaintext traveling over an insecure channel, any novice using over-the-counter hardware could eavesdrop and collect it. A low-risk issue became high-risk because the attack surface of the vehicle increased with its connectivity. Are car manufacturers addressing this?
Greater connectivity results in previously innocuous features contributing to a greater attack surface for modern vehicles.
The automotive industry has developed expertise in vehicle safety, however, vehicle security has not received the same priority. The mentality that vehicle security should be addressed by design from the beginning of development to the end is not yet mainstream, and this affects the attack surface of modern cars. End-to-end security means addressing security at each stage of development, alongside vehicle safety. In practice, it isn’t entirely up to car manufacturers to shift this paradigm, as vehicle software standards and regulatory bodies are also relied upon to create guidance. But that process requires time and is also in its infancy. As these standards are developed and adopted, a layer of traceability must be applied to the process that allows manufacturers to provide accountability for their security initiatives — or their lack thereof. This type of auditing is necessary for manufacturers to prove their compliance with security, just as they already do for safety. In fact, the ideal process gives safety and security equal weight and allows for security and safety testing to be completed with the same rigidity. While this paradigm shift is possible with the correct players, it brings to light the limiting factor in this strategy: the lack of players.
In both the software and automotive industries, skilled security professionals are lacking. Without an initiative to train and educate developers on the security requirements of software development, security suffers from being handled like an afterthought rather than a business requirement. These initiatives also require the various arms of the industry to clasp hands and collaborate on security standards and best practices. Software security consultants and platforms may be preparing to address these requirements, but not as aggressively as the rate the industry is attempting to innovate.
It’s important to acknowledge that the latest research on connected cars shows that attacks are unlikely and challenging to execute. At the same time, while known attacks require significant resources to execute, previously innocuous attack vectors now carry the potential for an exploit. But the emphasis shouldn’t be on potential threats, it should be on the importance that the automotive industry places on their security programs compared to their safety programs. There needs to be a shift in mentality so that security is built-in by design and addressed throughout every stage of development. There needs to be a shift towards a unified set of compliance and standards for testing and auditing. There needs to be a shift towards a relationship between safety and security. These initiatives overlap, and if the automotive industry fails to treat vehicle software with the same rigor as the most security-conscious software company, it also fails you. The next time you shop around for a new car in the face of an array of innovative features, will you be confident that every effort possible was made to keep your vehicle safe, secure, and compliant?