Auto manufacturers are busy cyber-proofing their products to ensure greater passenger safety and to prevent the market potential of “connected” cars from being held hostage by attacks.
The business opportunity is obvious. By 2020, 75% of cars shipped globally will be built to allow people to stream music, look up movie times, search for traffic and weather conditions, and offer driving-support options such as self-parking, according to a report released in May by BI Intelligence, a syndicated research service.
The US researcher says the connected-car market will grow at a compound annual growth rate of 45% for the next five years—10 times faster than the car market itself. Of the 92 million cars forecast for delivery in 2020, BI Intelligence believes three-quarters will offer Internet-connection hardware.
However, as Internet connectivity becomes more common in the vehicle-control modules and after-market devices used in cars, security and privacy risks will mount.
Defining the Problem
As wireless connectivity escalates within the consumer automobile market, the challenge is to ensure that the cyber-security capabilities of the automotive industry that prevent unwanted intrusions can grow at the same pace.
At present, that isn’t the case. Recent research projects at the University of California-San Diego and at the University of Washington revealed that nearly every control system in the modern car could be compromised, and controlled remotely.
Most of the systems themselves were designed before present connectivity options became commonly available, so most offer limited, if any, protection against the emerging risks.
Adding the required level of cyber-resilience into automotive electronics designs will require a large effort from the industry, especially with phone-makers and their software providers embedding the functionality of mobile devices into our vehicles’ center consoles.
And it’s more than mobiles; a diverse market of “infotainment,” apps designed specifically for cars, digital diagnostics, monitoring services for new drivers, enhanced navigation systems and other services are all destined for the modern car. McKinsey last year estimated that sales in the ‘connected’ auto-component market would grow to $220 billion by 2020, up from the $39bn generated in 2014.
Wireless access points to new cars can include embedded modems for telematics systems, Wi-Fi and Bluetooth portals for smartphone connectivity and aftermarket scanner devices. As the wireless connectivity to integrated smartphone app systems such as Apple’s CarPlay expands exponentially during the next five years, so too will the hacking opportunities.
Few question that the rapid expansion of connected car technology has outpaced the automotive manufacturers’ ability to protect consumers against cyber-attacks. But acknowledging a challenge is the first step to meeting it.
In February, Senator Edward Markey released a report on cyber-security and data-privacy protection from emerging connected-car technologies, which found auto-makers were unaware and could not identify the present scale of the problem simply because they did not keep or share records of possible intrusions.
Moreover, it found that nearly all original equipment manufacturers (OEM), who supply many of the components for connected cars, were unable to respond to attacks in real-time, although some had on-board systems that could record information about breaches for later retrieval.
This meant that most attacks would only be discovered after the data was downloaded during a subsequent visit to the dealer or service center. Only two OEM had the ability to diagnose or respond to intrusions in real-time.
The report’s conclusion was that all partners in the auto industry needed to rapidly build their capabilities to defend against cyber-attacks.
Defining the Risks
Most security experts believe the scale of the emerging risks will only be fully understood by determining the motivation for cyber-attacks. What do the criminally minded have to gain?
Unfortunately, there appear to be many beneficial reasons to infiltrate a connected car, some of which extend beyond the usual financial motivation for attacks on personal computers and smartphones, such as access to credit card information. These include:
Profit or Financial Gain
- Property theft, up to and including car theft
- Gaining a commercial advantage, such as by disabling a rival auto-maker’s model to damage its brand
- Industrial espionage, or stealing intellectual property such as software
Organized Crime, Terrorism, Personal Revenge
- Deception or circumvention of software and hardware restrictions
- Privacy violations, such as for people tracking or stalking
- Causing harm to a driver, passenger, pedestrian, or others on the road
- Infrastructure damage: disabling and/or controlling a fleet of cars could disrupt or shut down an entire city’s transport infrastructure
Any such incident could adversely affect corporate financial targets, escalate customer-liability payments, or negatively impact the brand equity of a auto-maker or component supplier.
For these reasons and more some sectors of the US’s auto industry are marshaling their considerable resources to measure the risk, and to build adequate cyber-defense strategies.
For example, the National Highway Traffic Safety Administration (NHTSA) is working with carmakers to compile a cyber-security knowledge base from leading industries such as aviation, telecommunications and information technology. It is also supporting the development of cyber-security guidelines, best practices and, eventually, design and testing standards.
The NHTSA will report its findings to US Congress in 2016. Afterwards it is likely that the NHTSA will introduce cyber-security policies and some type of cyber-security regulation.
In July, they jointly proposed the SPY Act, part of which made mandatory all “reasonable measures” for protecting wireless access points in cars. It also directed the NHTSA to develop privacy standards – including conditions for consumers to opt out — for how driver and vehicle data is collected.
Among other goals, their legislation also sought to force car manufacturers to develop methods for real-time detection and prevention of cyber-hacking attempts.
With such pressure coming from Congress and consumer awareness growing by the day, solutions are emerging, but much more will be needed before the risks are reduced to manageable levels.
Many automotive control units will require an extensive re-engineering of their systems architecture to support cyber-resilience — including the development of security-specific hardware and software. Additional work will be required to improve data protection and the integrity of the controls that guard access to those systems.
The industry’s over-arching philosophy about the design of security systems has to assume that cyber-security breaches will happen, so standard operating solutions provide intrusion protection and monitoring for suspicious behavior while the car is in operation.
The deployment of such an extensive technology refit will have significant costs for the auto industry and may take a decade to fully implement. But the costs of failing to build robust cyber-security systems for the new connected-car era will be counted in mounting legal expenses, customer loss liabilities and damaged corporate reputations.
Clearly, connected cars will require smart solutions.