The road ahead for automotive cybersecurity
By Kevin Magee
Connected cars are not new, but the implications of their continued development pose many security questions
By Kevin Magee
To my generation, especially for those of us who grew up in isolated and small communities, being able to drive a car meant boundless mobility and freedom limited only by how much gas money was available.
To my parent’s generation, their “first car I ever owned” story is the stuff of legend. They still enjoy attending car shows, wandering nostalgically among the classics, viewing them as works of art. For younger drivers, technological conveniences are often more important than horsepower, and choosing fuel efficient or electric vehicles can be a personal priority. Regardless of what generation you may belong to, it’s safe to say that we have a relationship with our cars unlike that of any other device or technology.
But with all the advances from the Model T to the current line-up of hybrid vehicles available today, fundamentally little has changed about what makes a car a car. Even with features such as power steering, cruise control, heated seats and delayed wipers, a car is still fundamentally a car, right? Well, perhaps not for much longer. Today, the advent of autonomous and connected vehicles is changing both our perception as well as the physical and practical nature of what a car is. What is also fundamentally changing is how we assess the risks associated with this new and rapidly evolving mobile-computing platform to best inform our approach and ability to properly secure it.
Similarly, different concepts of vehicle ownership, such as leasing and the introduction of ride-sharing services, are affecting our buying habits. Proprietary control systems and mandatory software updates are altering the nature of what vehicle ownership might mean as well. These changes introduce new security, compliance and privacy challenges and in some cases ethical questions that are entirely unique.
As security professionals, we have therefore come to an interesting crossroads where we have the opportunity to introduce physical and cybersecurity by design into the evolution of vehicles, as well as the automotive industry, at a critical point in time. The consequences of remaining idle are sure to result in decades of retrofitting and reactive response.
But where do we begin? The answer is likely that we need to start challenging our premises by asking the right questions such as, “What are the risks associated with the evolution of autonomous and connected vehicles,” and “How do we secure a car?”
Is a car simply another mobile endpoint, a single enclosed hardware platform running software, much like a laptop but on wheels? Or is it a rolling data centre with multiple segmented networks? Are autonomous vehicles controlled by AI evolving to the point where the car itself can be held accountable for its actions? If so, should a car also be bestowed with independent legal rights?
How will vehicles significantly increase and introduce new potential attack surfaces as they are connected to critical infrastructure such as sensors embedded in streetlights and other cars on the road via mesh networks to enable safer and autonomous driving?
What vulnerabilities and opportunities for cybercrime will we introduce by integrating with financial systems to allow vehicles themselves to seamlessly pay for tolls, parking and perhaps drive-thru transactions?
What additional opportunities for ransomware emerge when physical theft of a vehicle is no longer necessary if cybercriminals can potentially disable your car right in your own driveway and then ransom the return of its use?
How could this threat extend beyond consumer targets to corporate fleets of vehicles, public transportation, ambulances, fire and police vehicles? Or could autonomous vehicles potentially be used to create physical Denial of Service attacks with hijacked or bricked vehicles creating intentional traffic jams or mass accidents?
There are also many concerns related to vehicle ownership emerging. Most smartphones are replaced within a year or so and most personal or work computers within a three to five year time span. Will drivers who like to keep their cars for longer periods of time be allowed to license and operate an “out of support” vehicle and if so, will there be legal restrictions or personal insurance penalties associated? Additionally, what will the future of independent mechanics be and our right to choose who services our vehicles? Will cars become closed and proprietary systems in which opening the hood will void the warranty? Will we retain the “right to repair” our own vehicles and what will be the legal view of “jail breaking” our cars to make modifications, or install non-authorized and custom third-party applications or parts?
While the road ahead for automotive cybersecurity contains many obstacles and challenges, it also presents an extraordinary opportunity for security professionals to provide early influence as to where we are headed.
Unlike the internet, the mobile phone or other paradigm shifting technologies, we have the opportunity to not just come along for the ride but perhaps in many cases, to have our turn in the driver’s seat as well.
Kevin Magee is the chief security and compliance officer for Microsoft Canada (aka.ms/CISOCentral) and a board member of the Automotive Parts Manufacturers’ Association.