Connected car technology is slowly increasing its presence in the market, but some experts now warn that network-enabled automobiles may pose a security and safety risk.
"Automotive manufacturers are increasingly providing more connectivity options to the consumer by allowing them to connect to their cars, smartphones, wearable devices, homes and more," says David Miller, chief security officer at Covisint. Miller spoke at TU-Automotive Detroit in June about connected vehicles.
"These options are providing increased value to vehicle owners and manufacturers alike, but what most of us don't fully understand are the security consequences of exposing all of our personal information, data and passwords with this advanced connectivity,” he says. “Connected cars need to offer unified and interoperable user experiences to keep driver information secure, which will not be possible without collaboration across the automotive and technology industries."
Last year, Senator Edward Markey (D-Mass.) released a report entitled Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk. The report outlined potential vulnerabilities posed by Bluetooth and wireless Internet connectivity in vehicles that could lead to the loss of driver and vehicle data to outside parties.
"Cars were never designed to be secure, network connected devices," says Nick Gill, chairman of the global automotive sector at Capgemini. "The typical car has 50 to 100 electronic control units (ECUs), plus a significant amount of sensors, and each of those represents a potential connection point. The risk is that someone, for whatever reason, could get into the vehicle's systems through one of those ECUs and then access all of the others. The weakest point of those 200 nodes will be the point of attack."
In addition to potentially stealing driver or vehicle information, hackers could conceivably take control of vehicle systems that operate the brakes, headlights, or speedometer readings, among other things. They could also access location or driving history information. Hackers could also steal information related to freight being carried by commercial vehicles.
The nodes in the vehicle (which come from a variety of different suppliers) don't have the type of authentication or verification necessary to secure the data in the vehicle. The OEMs will bear the ultimate responsibility if there are breaches, Gill says.
According to Frost & Sullivan, 90 percent of automakers in North America have deployed connected telematics solutions. Machina Research predicts that connected vehicles will cause a 97 percent increase in data traffic in certain regions. The European Union is in the process of mandating eCall connectivity in all vehicles by 2018, to enable automatic emergency communications for every car in the region.
“While embedded connectivity is on the rise due to specific regulations related to telematics, shared data plans and smartphone-based connectivity will also gain prominence in the global mass market,” says Frost & Sullivan Automotive and Transportation Research Analyst Ramnath Eswaravadivoo. “OEMs wanting to compete with free smartphone-based navigation solutions are offering connected capabilities with dynamic re-routing, real-time traffic and point of interface services.”
Senator Markey called for new regulations to establish standards for vehicle data security. “Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” Markey said in a statement when his report was released. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.”
The OEMs are in the early stages of creating a voluntary group to evaluate cyber threats for connected vehicles, according to the Alliance of Automobile Manufacturers. Frost & Sullivan noted that vehicle security should cover over-the-air updates, connected services, user data protection and virtualization.
However, deploying security standards across dozens of OEMs and thousands of suppliers will be difficult. "The most challenging part is just the network of vehicles," Gill says. "These cars are on the road 10 years or longer, and with commercial vehicles, the lifespan is even greater. You have to have the ability to retrofit the security standards on those vehicles."
Software updates would also be challenging, since periodic patches would have to be applied to any security software in the vehicle. Tesla provides over-the-air (OTA) updates for its cars, but not every vehicle is equipped for that type of connectivity. There are also concerns that OTA updates could disrupt the function of the vehicles while they are being operated.
"There are going to be different models," Gill says. "Consumers are going to, at some stage, be pulled in via GPS connectivity. Or they may want to download new parking apps or other features, so there will be ways to get the updates into the cars."
Another wrinkle will be the networked infrastructure that is currently being tested. This would allow vehicles to communicate with roadside sensors and computers to improve traffic flow or provide early warnings about accidents or traffic jams. "That just extends the level of communication," Gill says. "If you expand this model to include collecting data from vehicles across a city or state, the stakes are just higher."
According to Gill, the various stakeholders involved in building out the connected vehicle network do not always have security in mind when designing solutions. "We're not convinced that people are worrying enough about some of the risks this poses," Gill says. "If there is a chance for something to happen and a vulnerability in the system, someone will take advantage of that vulnerability."
Subscribe to Aftermarket Business World and receive articles like this every month….absolutely free. Click here.
