Ransom cost may be high

Connected vehicle may become a gateway for any number of electronic transactions

Image Credit: Supplied
With sensitive information stored in the car, it becomes another attack vector to obtain your personal information.
Gulf News

Dubai: Ransomware, which is certainly on the rise on PCs and mobile phones, represent an almost ideal target.

“A hacker uses the in-car display to inform the driver that his car has been immobilised and that a ransom must be paid to restore the vehicle to normal operation. While a laptop or tablet may be restored relatively easily with potentially no damage, assuming backups are available, a car is a very different story,” said Alain Penel, Vice-President at Fortinet Middle East.

The cost of such a ransom is expected to be very high, and will likely take time. In the meantime, the vehicle may have to be towed.

So the question is, “what is the amount of the ransom demand that we expect to see? Estimates are that it is likely to be significantly higher than for traditional computer ransomware, but probably less than any related repair costs so that the car owner is tempted to pay.”

Another attractive target for hackers, he said is collecting data about you through your car. Driverless cars collect massive amounts of data and know a lot about a user — including his favourite destinations, travel routes, where he lives, how and where he buy things, and even the people he travels with.

“Imagine a hacker, knowing that you’re travelling far from home, sells that information to a criminal gang who then breaks into your home, or uses your online credentials to empty your bank account,” he said.

The connected vehicle is likely to become a gateway for any number of electronic transactions, such as automatic payment of your daily morning coffee, or parking charges, or even repairs. With sensitive information stored in the car, it becomes another attack vector to obtain your personal information. “And with radio-frequency identification (RFID) and near-field communications (NFC) becoming commonplace in payment cards, accessing their details through your car would be another way to capture data about you and your passengers,” he said.

And last but not the least, he said is that there are legal and authenticity issues.

“Can we consider the location data of the car as authentic? That is if your car reports you opened it, entered it, and travelled to a particular location at a certain time of the day, can we really assume everything happened as recorded? Will such data hold up in court? Or can this sort of data be manipulated?”

“This is an issue that will need to be addressed. Similarly, if cars contain software from several different providers, and spends the day moving from one network to another, who is accountable or liable for a security breach and resulting losses or damage? Was it a software flaw? Was it negligent network management? Was it on-board user error or lack of training?”

So, the question becomes, how do we secure autonomous cars?

He said the first step must be a greater awareness by the manufacturers of the potential cyberthreats. While manufacturers have vast experience associated with automotive safety, it is reasonable to suspect they have less expertise in the dark arts of cyber compromise and exploitation.

“A closer alliance with the internet security industry will benefit everyone. The Automobile ISAC (information Sharing and Analysis Centre) is an interesting precedent,” he said.

Next, he said is to incorporate more and more technology into a vehicle, whether for improving the customer’s driving experience or enhancing the vehicle’s performance, must be balanced with the management of their potential threats and risks.

“Ensuring that appropriate and effective security technologies are implemented within these systems must be a mandatory objective, even if it’s not (yet) a regulatory requirement,” he said.

Additionally, a growing problem with many IoT devices is that they use common communications programmes that have no security built into them at all.

“As a direct result, an alarming number of IoT devices to date have been highly insecure. We need to achieve better for autonomous cars than what is the current IoT benchmark today,” he said.

At the same time, he also added that manufacturers must work with their different technology and communications suppliers, across all of the territories where their vehicles are sold, to ensure that any network connections to the vehicles are appropriately hardened.