The technology in today’s vehicles is amazing. Auto manufacturers are rushing to add connectivity to its vehicles, to complement and enhance its bells and whistles. It warns me if I stray out of my lane, and if there is a car in my blind spot.
It has adaptive cruise control that slows down if a car pulls in front of me. It alerts me of cross traffic, pedestrians and even dogs, when I back up. It monitors road conditions and automatically enables all-wheel drive if roads are wet.
And that’s just the start. It has collision detection, and automatic braking, and a fully connected entertainment and communications system. The windshield wipers even turn on automatically when it starts to rain.
A modern car may have as many as a hundred electronic control units. When you add satellite infotainment systems with Bluetooth and voice commands, and a 4G LTE WiFi hot spot in your car, these vehicles are not only incredibly connected, they are also increasingly vulnerable.
Not surprisingly, attacks on a car’s sophisticated computer systems are becoming a serious threat.
Last year, hacking researchers demonstrated how they could remotely hijack control of a connected vehicle while it was actually cruising down an interstate. The attack came via a vulnerability the researchers found in its internet-connected infotainment system.
Through that point of entry they were able to access other systems within the car, including the transmission and braking system, with alarming results.
The demonstration was dramatic proof that our vehicles are now under serious threat of cyberattack, and led to the recall of 1.4 million vehicles in the United States to install a software update to patch the vulnerability.
And the potential attack surface is growing. Soon, cars will be able to do things like automatically pay for fuel when you pull up to a pump, negotiate online shopping services, check and read your email to you, and sync with your calendar to remind you of conference calls and events.
Individual passengers will be able to each have their own separate WiFi connection to the internet to stream movies, browse social media, check their banking information, and shop online.
These cars are really only a generation or two away from being fully driverless. What happens then, when cars on the road are dynamically sharing road conditions, negotiating traffic, and responding to intelligent traffic systems designed to move traffic more efficiently through urban environments?
The potential for a catastrophic result from a well-planned attack seems high, and in addition to the loss of life and property, could stall technological advancement for years.
Securing complex systems like these is no easy task. Once you connect your car to a 4G or 5G network, how do you secure that connection? How do you incorporate security solutions throughout the car to ensure your passengers and their data are protected, especially from zero-day attacks?
What are the security implications once automakers become their own carriers, providing personalised connectivity services to their cars?
Technology is advancing at a rate that the intentionally slow process of legislation and laws will never be able to keep up. Laws will either be too specific to address the latest threats and challenges, or so vague as to allow too much wiggle room in terms of developing appropriate safeguards.
So the big question is, what can we do now?
I suggest that a good first step would be for auto manufacturers to begin to partner with security vendors to design safer vehicles. Securing a car should not be much different from securing a modern network — harden your access points, monitor and inspect traffic for malware and unauthorised commands, segment the network into security zones, secure communications, and share global and local threat intelligence.
Everything else in a car is branded, from XM radios, to Bose speakers, to designer interiors. Why not also have a vehicle provide branded security from a leading engineering company that does this sort of thing as their primary business?
Our love affair with the car shows no signs of slowing down. And as it becomes even more integrated with our online lives, including the advent of what I refer to as Transportation as a Service, we are exposing ourselves to more risks than ever. So, what do we do next?
With 25 per cent of Dubai’s transport set to go driverless by 2030, these are important discussions we as consumers, and as a security industry, need to be having right now.
The writer is the regional vice-president for Middle East at Fortinet
