Connected Cars - car dashboard screen

Protected Connected Cars

Author: Kevin Phillips

As car manufacturers around the globe join the rush to develop ‘smarter cars’, I can’t help but wonder just how much thought is going into applying the necessary security needed to protect them from attack by cyber-criminals. Plenty, some might say, but it is really wise to slot something so integral to our daily lives, and something so dangerous, into the Internet of Things without thorough and rigorous security testing? How long will it be before we see the first ransomware attack preventing the owner from driving it or being unable to exit the vehicle without paying up for the privilege?

As with all things there is going to be a balance between security and usability, protection and access, and reassurance and viability. We already see this today within the financial services industry, which now relies heavily on digital communications across the internet. Here we can see that lessons have already been learned, many the hard way, and security has become entrenched in the thinking of large banks and start-up challengers alike. No one would think to offer a financial service (e.g. digital banking software) across the internet that has not been rigorously tested, double-checked by security experts and then held accountable by regulation. All this to protect us from losing out financially to fraud.

But what of vehicles? With banking we could lose our money; with driving we could lose a lot more. If you think about it, connected cars should be at least as secure as the toughest digital banking protocol, and probably a lot more. Not only could cyber criminals lock you out of your car until you have paid up a ransom, but they could actually do a lot more physical harm:

Roll in the driverless car, connected to the internet and getting route, destination and traffic alerts in real time across the Internet of Things. Up comes a cyber-attack that takes control of the vehicle, then simply drives it off to any destination of the attacker’s choice… and suddenly we have witnessed a sort of Internet of Theft (or Grand Theft Internet, take your choice). It could get a lot worse, with ‘gangs’ of driverless cars taken over by cyber-criminals wreaking havoc across our cities and towns: anything from driverless joy-riding and street racing to full scale synchronised terrorism.

Whoa! Starting to sound like science fiction? I’m not predicting that our streets will soon become the domain of rogue Transformers, but we do need to be mindful that plugging our beloved car into the global internet might just be asking for trouble, unless we get it right from the start.
So what can we do about it? Firstly, manufacturers and their software partners need to start thinking like global finance providers and put security to the forefront of their thinking. It would be nice to think that they will pull together and join forces to come up with a common set of protocols, but the fierce competition between them might put a stop to that ever becoming a reality.

We also need to see some gritty regulation, similar to the Euro NCAP programme, to define good cybersecurity practices for vehicles and then offers a publicised cyber-safety rating.

The fact is we may need to get a lot smarter when designing ‘smarter cars’, and we need to get on board with the cybersecurity agenda now. If we don’t, we are simply waiting for the first round of criminal successes to hit the headlines, or even witness events as severe as cyber-attack fatalities before we are forced to take the matter seriously enough to develop Protected Connected Cars.

Connected Cars - car dashboard screen
24 Oct 2016

Author: Kevin Phillips

As car manufacturers around the globe join the rush to develop ‘smarter cars’, I can’t help but wonder just how much thought is going into applying the necessary security needed to protect them from attack by cyber-criminals. Plenty, some might say, but it is really wise to slot something so integral to our daily lives, and something so dangerous, into the Internet of Things without thorough and rigorous security testing? How long will it be before we see the first ransomware attack preventing the owner from driving it or being unable to exit the vehicle without paying up for the privilege?

As with all things there is going to be a balance between security and usability, protection and access, and reassurance and viability. We already see this today within the financial services industry, which now relies heavily on digital communications across the internet. Here we can see that lessons have already been learned, many the hard way, and security has become entrenched in the thinking of large banks and start-up challengers alike. No one would think to offer a financial service (e.g. digital banking software) across the internet that has not been rigorously tested, double-checked by security experts and then held accountable by regulation. All this to protect us from losing out financially to fraud.

But what of vehicles? With banking we could lose our money; with driving we could lose a lot more. If you think about it, connected cars should be at least as secure as the toughest digital banking protocol, and probably a lot more. Not only could cyber criminals lock you out of your car until you have paid up a ransom, but they could actually do a lot more physical harm:

Roll in the driverless car, connected to the internet and getting route, destination and traffic alerts in real time across the Internet of Things. Up comes a cyber-attack that takes control of the vehicle, then simply drives it off to any destination of the attacker’s choice… and suddenly we have witnessed a sort of Internet of Theft (or Grand Theft Internet, take your choice). It could get a lot worse, with ‘gangs’ of driverless cars taken over by cyber-criminals wreaking havoc across our cities and towns: anything from driverless joy-riding and street racing to full scale synchronised terrorism.

Whoa! Starting to sound like science fiction? I’m not predicting that our streets will soon become the domain of rogue Transformers, but we do need to be mindful that plugging our beloved car into the global internet might just be asking for trouble, unless we get it right from the start.
So what can we do about it? Firstly, manufacturers and their software partners need to start thinking like global finance providers and put security to the forefront of their thinking. It would be nice to think that they will pull together and join forces to come up with a common set of protocols, but the fierce competition between them might put a stop to that ever becoming a reality.

We also need to see some gritty regulation, similar to the Euro NCAP programme, to define good cybersecurity practices for vehicles and then offers a publicised cyber-safety rating.

The fact is we may need to get a lot smarter when designing ‘smarter cars’, and we need to get on board with the cybersecurity agenda now. If we don’t, we are simply waiting for the first round of criminal successes to hit the headlines, or even witness events as severe as cyber-attack fatalities before we are forced to take the matter seriously enough to develop Protected Connected Cars.