When was the last time you rerouted based on real-time traffic updates from navigation apps like Google Maps? Well, nowadays with the over-crowded traffic scene, we are almost mentally wired to do so. However, if you feel that’s not a connected car experience enough, you might be slightly further from the reality. Provided the fact we are not confusing connected cars with autonomous vehicles, let’s drive right into the highway of smart automobile experiences and investigate the needs and measures for ensuring their cyber security.

What is a connected car?

A ‘Connected car’ is equipped with Internet access that may be shared inside the vehicle through a local wireless network. However, a car becomes ‘connected’ when it starts to consume data or access services from the cloud or starts to sync diagnostic data with the cloud. A connected car driver has continuous access to not only on-road information such as route and traffic congestion, but also to multimedia content. The current crop of connected smartphone apps available in India such as Mercedes Me, BMW ConnectedDrive, Honda Connect, Toyota Connect, Ford SYNC, and Nissan Connect is continually adding features, and allows car owners to be perpetually linked with their vehicles. Fortified with features such as on-road assistance, vehicle diagnostics, geo-tracking, remote locking and temperature control, connected car owners certainly get a lot more out of their driving experience. As the average human’s daily schedule is being eased by robotic automation and artificial intelligence, the connected car is exponentially evolving every day from being a luxury to a necessity.

However, if appropriate security measures for this ‘soon-to-be-ubiquitous’ necessity are not mandated soon enough, the future of connected cars could be bleak. Would you believe that in some of the vehicles which debuted the connected features, it was possible for a hacker to disable the breaks and control the steering. Imagine this happening on a long-ride with your beloved or family. Is this really possible? Can hackable connected cars be owned with trust?

How the heck is hack possible?

There are three types of external communication networks in a connected car – Internet, WiFi and Dedicated Short-range Communication (DSRC). Hence to be specific, the boon of connectivity gives birth to this bane of connected car hacking. In 2018 itself, there have been 10 such hacks in the year’s first 10 weeks. Back in 2015, white-hat hacker duo Charlie Miller and Chris Valasek had demonstrated how evidently insecure today’s state-of-the-art connected cars are. Utilizing a loophole in a Jeep Cherokee’s entertainment software, they had taken over dashboard functions, steering, brakes, and transmission of the vehicle while it was driving down the highway at 70mph.

Even in 2018, as the automobile industry is cruising towards autonomous driving, unfortunately connected cars are still prone to multiple cyber security flaws that lay out a red-carpet for hackers. These hackers sitting in distant corners of the globe are not just researchers, but also vary between cyber-criminals, competitors and hacktivists. Tapping into various security lapses and network flaws such as the Controller Area Network (CAN) Bus vulnerability, hackers target the Electronic Control Unit (ECU). For example, by intercepting the messages between the ECU and any of the subsystems from a digitally or physically compromised On-board Diagnostics (OBD) port and injecting corrupt bits into multiple such communications (arbitrary CAN injections), it is possible to trick the ECU to perceive a subsystem as defective and take it out of the car network’s Intrusion Detection System (IDS).

Malware and digital exploits are getting complex by the day. However, with an average connected car’s go-to-market period being 5 years or more, both the physical and network security measures implemented at the time of design, are often outdated to by the time they are in production.

What’s holding the automobile industry back?

There are primarily two sets of unique challenges that are maiming the auto industry’s Original Equipment Manufacturers (OEM) from filling these cyber security gaps with a definite set of security practices and countermeasures.

  1. Exponentially increasing electronic complexity – With leading edge technological promises, the prospective connected car owners want more and more features to be crammed into the electro-mechanical ecosystem of the car. Such demands are forcing OEMs to multiply the average number of electronic vehicle nodes or ECUs of any car from 30 units of today to more than 100 in the next 3-5 years. Moreover, with each embedded unit necessitating its own operating software and hence millions of lines of code for operation and communications, even the foremost security measures are falling short of providing an overarching solution.
  2. Multiplicity of stakeholders – With the characterizing fragmentation of the automobile industry’s supply chain, there are too many players manufacturing components with their own standards and patch specifications. As the multiple ECUs coming from multiple suppliers are integrated by the OEM to materialize certain features, the risks of cyber security flaws are further increased. Each component with its own cyber security needs may be protected at an individual level. However, when such components are integrated by the OEM using certain trademarked protocols, component customization may create peculiar vulnerabilities unforeseen unless the components are integrated. Moreover, OEMs considering quality, innovation, cost and support as the criteria of choosing a supplier, don’t mandate the suppliers to raise the bars on their cyber security initiatives.

Ok! So, how do we control the hacks?

Every industry has its own set of drawbacks or challenges. Innovation or disruption stems from perceiving these challenges as opportunities and overcoming them with comprehensive ingenuity. To secure connected cars, there should be a multi-pronged approach.

From a network access perspective there should be:

  • End to end security – Bi-directional authentication and end-point authorization to ensure unique node identification and securing the communication techniques to factor out network snooping
  • User Data Protection – Ensure that all data going in and out of the vehicle is subject to various regulatory standards of privacy protection

From a process perspective there should be:

  • Well defined cyber security standards – defined by the OEMs based on industry standards and best practices that are applied across its supply chain, covering the entire vehicular lifecycle.
  • A well-defined Incident Management & Recovery strategy – that’s continually updated to boost applicability

From a practice perspective there should be:

  • Controlled access to firmware – with cryptographic key handling, digital signing techniques for firmware authorization and secure boot to prevent any unidentified code from executing and modifying system internals
  • Physically disable or remove ports – such as debug ports or serial ports through which privileged access to the hardware is possible
  • Using network and process isolation architecture – to protect critical networked devices and use dedicated communication channels for safety critical sensors and devices to prevent spoofing
  • A rigorous anomaly detection system – that identifies intrusions from unexpected variations or patterns of information exchange
  • Defining and implementing coding principles – that ensure defensive programming practices and compliance with universal security standards

Driving without the dilemma

As the hackers keep the chase on and the OEMs innovate to secure their products, within the coming decade itself the connected cars industry will undergo a sea-change in terms of security protocols and practices. Starting with the recent OEM-Supplier alliances and end-user forums, the future certainly doesn’t seem DIS-connected.

Are you attending TU-Automotive Detroit 2019? Let’s connect!

Written by Sherry C Kunjachan

on 14 May 2019

Sherry C Kunjachan is the Strategic Initiatives Leader for Automotive Engineering Services at QuEST Global, which is a focused global engineering solutions provider and production engineering partner serving the product development & production engineering needs of high technology companies in the Aero Engines, Aerospace & Defense, Automotive, Oil & Gas, Power, Medical Devices, Industrial and other high tech industries.