With the concept of the connected car invading our lives at what often seems like unprecedented speed, ensuring they are made secure at the manufacturing stage is emerging as one of the next big cybersecurity skills challenges. Michael Hill reports.
We are entering a world of connectivity unlike the kind we have ever been exposed to before, with the concept of the Internet of Things (IoT) invading our physical lives at what often feels like unprecedented speed.
A prime example is the now commonplace use of internet-connected devices within the automotive industry, with most vehicles manufactured after 2010 having some form of internet access or wireless LAN, allowing for connectivity to appliances both inside as well as outside the car.
A plethora of on-board technologies that tap into this connection allow for a wide array of impressive features that make driving a smoother, more enjoyable experience for drivers and passengers alike. These include automatic notification of crashes, speeding and safety warnings, voice commands, contextual help/offers, parking apps, engine controls and car diagnosis, to list just a few.
However, whilst these represent how far technology is advancing and give us an exciting glimpse into what could be possible in the future of the automotive sector, the concept of the connected car is also unearthing a whole host of safety and security concerns, owing largely to the fact that the majority of the IoT devices being used are simply not manufactured with security in mind, and so are vulnerable to attack by hackers.
What’s more, there are significant concerns over whether there is the talent and knowhow out there to cope with the sheer scope of tackling the issue, with many in the industry citing it as one of the next big skills challenges in security. It requires an ongoing understanding about the nature of threats and vulnerabilities in a rapidly changing landscape to build in strong security measures that effectively protect against these risks, something that is clearly currently lacking in automotive manufacturing.
Luckily, many of the instances we have seen recently where connected vehicles have been breached and tampered with have been orchestrated by honest hackers, seeking only to highlight their security issues and raise awareness of the problem. A prime example is when, last year, white hats from IOActive made the headlines by breaching a Jeep on the Highway.
“We spent a whole calendar year working specifically on the Jeep hack, so this isn’t something that someone does in a weekend,” Daniel Miessler, director of advisory services for IOActive, told Infosecurity. “At the same time, it is alarming what a single person can do from their sofa.”
Miessler explained that once the engine control unit accepts commands over the control area network, a whole range of doors are open to an attacker, ranging from simply switching the radio station to completely overriding the engine control.
“It is also possible to access the power steering, parking brakes and electrical gear shift – more or less anything the driver in the car can control,” he added.
“Since previous research had shown what could be done with physical access to a car, we were keen to demonstrate that remote attacks against unaltered vehicles are still possible and that we need to encourage everyone to take this threat seriously.”
So, with vehicles only going to communicate even more in the future, it’s surely just a matter of time before malicious hackers are not only able to lock down cars with ransomware or meddle with alarm functionality to make theft easier, but also truly endanger physical lives by remotely getting into the driving seat themselves, highlighting that very real security issues need to be addressed.
Bruce Schneier summed this up in typically astute style during his keynote presentation at Infosecurity Europe in London earlier this year, arguing that the physicality of today’s IoT devices has the potential to create catastrophic risks of unprecedented scale should they be compromised, something the industry cannot afford to fail to recognize and respond to.
“I think this is going to hit a tipping point,” he said on the day. “This is the 'too big to scale problem’, where our systems are getting so big that we can’t afford a single failure, and it’s going to happen soon.”
Speaking to Infosecurity after the event, Schneier divulged further by explaining that vehicles today are essentially mobile computers, thus everything that is true about computer security, including vulnerabilities, becomes true about cars.
“Securing connected cars certainly is a challenge because these industries do not traditionally understand computer security, so all of the things that Microsoft and Apple [for example] had to learn with regards to how to secure computers, now everyone else has to learn.”
“The car manufacturer doesn’t know any better, so there’s going to be a huge learning curve just like we had in the computer industry in the 1990s as all of these other industries try to figure it out.”
However, unlike computer security, which has an agile ethic whereby patches and automatic updates can be quickly implemented to fix new vulnerabilities, cars come from the world of “get it right the first time”, otherwise the ramifications can be far more severe, added Schneier.
“The automobile industry needs to learn that they need security in their IoT products and they need to hire the right people to do it.”
Therefore, with the IoT invading our physical lives to such an extent through the connected devices in our vehicles and the possible risks having the potential to be so high, it’s clear that a greater focus on ensuring they are made more secure at the manufacturing stage is of paramount importance. This is an area where, according to David Shearer, CEO at (ISC)2, the industry is failing on an international scale to attract enough talented individuals with the skills and knowledge to deal with the problem.
With imbedded, connected systems now in everything that we buy, successfully securing them requires the coming together of every engineering discipline on the planet, Shearer told Infosecurity.
“Consider what engineering goes into the manufacturing of a car”, he said. “It’s mechanical, electrical, software, chemical; so you really have a convergence of every engineering discipline in the manufacture of consumer products that have life and safety issues. We need to have engineering disciplines that understand that at the design and engineering phase they need to be thinking about security.”
“You have a great degree of people that are educated in the engineering disciplines, in the science and mathematics technologies, but still the numbers [in cybersecurity] are not where they need to be,” he added.
As a result, it is becoming all too common for vehicle manufacturers to overlook security at the conception phase of their IoT products and implement the far riskier technique of trying to reverse security in further down the line if required, with car firewall add-ons a prime example.
“We really have to start looking at who’s designing and engineering these things, and we have to start pulling people (engineers in any discipline) out of colleges and universities; somehow we have to reach them and also have curriculums that teach them that throughout the life cycle of developing a product, whether it’s software, hardware, or engineering, they need to be thinking about the implications of cybersecurity. That’s a bigger call to action for (ISC)2 and the community at large.”
These were sentiments echoed by Stephanie Daman, CEO at Cyber Security Challenge, the government’s collaboration with UK industry and academia to find and nurture cybersecurity talent across the country. Speaking to Infosecurity, Daman explained that with a huge industry skills gap already in relation to cybersecurity, we now need to take account of the effect that the proliferation of the IoT in our vehicles is having on the skills required across the industry to ensure the safety of consumers.
“The skills required to tackle this wide array of cybersecurity threats are continuous and ever-changing, so in order to have any chance at sustainability, we have to engage with those who will be the cyber experts of the future. A fantastic way to encourage young people into the sector is through problem based interactive challenges, and these are what we use in our events in order to develop the talented cyber professionals of tomorrow.”
It’s always been perfectly clear in the cyber industry that as technology advances, there will be a lag in the amount of professionals that are trained adequately to deal with the security issues that inevitably arise, and connected cars are no different.
However, it’s an issue that vehicle manufacturers need to be taking seriously because, after all, they are the ones who will be found accountable for any breaches that their devices suffer.
Automakers need to be employing or training people who are able to build security in from the beginning, rather than simply adding it on top. At the same time, education and government bodies need to be just as mindful, recognizing their responsibility to dedicate time and resources into nurturing the next generation of cybersecurity talent in this area in order to mitigate the risks of cybercrime within the automotive industry so that people’s vehicles, personal data and lives are kept safe.