ATIS hits the pedal on connected car security

Connected cars are perhaps the first widely deployed use case for the Internet of Things (IoT)—but they also get plenty of bad press for having gaping security flaws. To address the need for a comprehensive cybersecurity approach, ATIS has proposed an end-to-end security framework that addresses both the managed and unmanaged environments of the connected vehicle.

“As connected vehicles become more prevalent on our highways, and applications become more sophisticated and integrated into our everyday lives, the threat of cyber-intrusion also grows,” said Tom Gage, CEO, managing director and founder of Marconi Pacific and chair of ATIS’ connected car committee. “This makes it critical that the connectivity provided between and among vehicles, infrastructure and wireless devices is authenticated, trusted and secure.”

To address the mind-boggling array of threats, vehicle manufacturers and their suppliers are working on incorporating security features into every stage of the design, manufacturing, testing and vehicle delivery process. With that in mind, the framework addresses a proposed engagement model between communications service providers and vehicle OEMs. This includes expanding the ATIS work group to those OEMs to further explore how the ICT industry can best participate and enhance cybersecurity. ATIS also plans to collaborate with the Auto-ISAC, which has developed a set of security best practices.

“A collaborative engagement between the ICT industry and the connected vehicle industry would foster further dialog across a range of ideas and topic areas, such as a centralized in-vehicle security model, deep packet inspection security, a connected vehicle App Store concept, as well as a connected vehicle bug bounty program,” Gage said.

While the intentions are good, the industry as a whole faces an enormous barrier in the sheer complexity of the automotive ecosystem and technology, according to Roger Lanctot, director of automotive connected mobility at Strategy Analytics.

“The finished connected car product has a variety of attack surfaces—everything from the radio that’s connected, to traffic information systems, to wireless tire pressure monitors,” he told FierceWirelessTech in an interview. “It’s just very hard to protect them. Most of the major automakers have at some point overlooked some kind of protocol or VPN or basic security hygiene issue in putting their connected car together. But so far, the industry has been able to get by with security by obscurity.”

One main weak link is the on-board diagnostic (OBD) port. These are usually wirelessly enabled to facilitate the aftermarket repair industry, and this is where insurance dongles and the like plug in. Although access is encrypted, it can be broken—with potentially disastrous results. For instance, mechanisms controlling breaking and steering are accessible via the OBD port.

Other sources of vulnerabilities exist in the not-insubstantial supply chain, populated by OEMs, the tech industry, Tier 1 and 2 suppliers, after-market suppliers, dealers and repair and body shops.  

“In the dealer network a compromise can come from simply having heedless or unhappy employees,” Lanctot said. “Cars also are increasingly being connected to multiple resources, like Apple Car Play and Android Auto. And that’s an injection opportunity. Carmakers are also using Linux code, which could introduce vulnerabilities via open-source code reuse.”

It’s also important to consider that cyberattacks can be directed against not only the vehicle itself, but also against the telecommunications networks and cloud-based platforms that offer connected vehicle services. However, not all communications paths into the vehicle (such as peer-to-peer short range wireless Wi-Fi and Bluetooth) are operated or secured by service providers, and will require yet other cybersecurity methods to ensure end-to-end safety and security.

And there’s still more: “Furthermore, if the connected vehicle is viewed as a complex IoT (Internet of Things) endpoint capable of establishing communications with other IoT endpoints, additional security risks may be involved from unsecured IoT devices,” Gage added.

To put a real-world face on all of this, automotive cybersecurity researchers Charlie Miller and Chris Valasek famously explored just how vulnerable vehicles can be not once, but twice. In 2015, they were able to remotely hack a 2014 Jeep Cherokee—with a journalist from Wired on board—to cut the transmission and bring it to a stop in the middle of the interstate. That outing prompted an expensive recall by Chrysler of 1.4 million vehicles; but then, a year later, the duo showcased a new arsenal of hacks that could cause a range of bad things, including unintended acceleration and remote turning of the steering wheel.

And it’s not just operational interference at stake—though that’s certainly the most dangerous scenario. According to the National Highway Traffic Safety Administration, cyberthreats to vehicles and their occupants can consist of privacy issues and unauthorized commercial transactions (many services are paid subscriptions).

While automotive flaws are not easy flaws to exploit—“No one’s really hacked a car in the wild,” Lanctot said—there’s no guarantee that someone won’t figure out a glide path to compromises in the future.

Gage added that there are myriad upsides to getting it right, in addition to the No. 1 concern of ensuring personal safety for drivers and passengers.

“Collaboration between the ICT and auto industries offers many benefits, including improved consumer confidence in the safety of connected vehicles; reduced overlap in security R&D aimed at connected vehicles; reduced costs by having all partners share responsibility and accountability to define, design and deploy security best practices; decreased time to market; as well as a greater potential to develop new connected vehicle services and applications,” he said.