Fact vs. Fiction: Understanding the Future of Connected Car Security
Fact vs. Fiction: Understanding the Future of Connected Car Security

In the near future, the number of autonomous connected devices will outnumber human-operated systems by at least 10-fold. Gartner estimates that there will be a quarter of a billion connected cars on the roads by 2020 and the market for driver assistance systems is expected to grow to more than $50 billion.

With every generation, modern car manufacturers adopt more sophisticated digital technologies in order to increase the fuel efficiency, safety and comfort levels of their vehicles. Many models already have multiple cameras, sensors and radars on board, accompanied by software to process and analyze the signals from the equipment. But that's just the tip of the iceberg: almost any major component of a modern car - such as the engine, steering, brakes and so on - is controlled by technology and is linked to an onboard network.

This automotive ‘new normal' is affecting market trends and of course influences the audience – both those already driving and future drivers. As a result, this era is accumulating a lot of concerns, beliefs and myths around the future of smart vehicles. Let's take a deeper look and sort the fact vs. fiction when it comes to connected cars:

1.       Fact: Cybercriminals can track me once they hack my connected car

Software can track the car, regardless of the location. In modern cars, there are video and audio interfaces for voice and gesture control, for instance, so there are several microphones and cameras, as well as built-in telematic modules with eSIM on board. Thus, they can be used to track, listen and watch what is happening inside the car. This is extremely important when we speak of business and executive class cars – private, commercial talks can be intercepted, so the car could potentially be used to spy on the person.

2.       Fiction: Cybercriminals can use a car's connectivity to hijack my vehicle

Connectivity is an extra risk that has recently appeared in cars and some real-life hacks have already been seen. The Jeep is a good example of that – hackers were able to take full control of the car while being thousands of miles away. However, the security and safety of smart vehicles consist of multi-layered, multi-staged protection measures that won't easily let hackers hijack your car, at least for now. The real danger is about control over certain car systems.

For instance, there are a growing number of smartphone apps - most leading car manufacturers now offer apps to make life easier for drivers – that can locate, lock/unlock your car, check tire pressures, request assistance, schedule maintenance and more. Researchers have already shown how many such apps can be hacked to take over a car. It will not be long before Trojanized apps appear that inject malware directly into the heart of an unsuspecting victim's vehicle.

3.       Fact: Cybercriminals can hack my car in order to exploit or sell my personal data

Connected vehicles will quickly generate and process more and more data – about the vehicle, but also about journeys and even personal data on the occupants. In 2018, this will be of growing appeal to attackers looking to sell the data on the black market or use it for extortion and blackmail. Car manufacturers are already under pressure from marketing companies eager to gain legitimate access to passenger and journey data for real-time location-based advertising.

Attacks against client-side components of connected car infrastructure (e.g. remote control mobile apps or web-based client services) leading to the compromise of a car's physical security and the privacy of its user could also be an issue. Such attacks can give a hacker access to the personal account of the owner of a connected car and, via a fake mobile app, they will be able to unlock the doors and/or track their geolocation and other personal information. Research has proven the workability of this type of attack.

4.       Fiction: The nature of the automotive industry makes vulnerability issues so relevant

Vulnerabilities have indeed been introduced through a lack of manufacturer attention or expertise, combined with competitive pressures. The range of connected mobility services being launched will continue to rise, as will the number of suppliers developing and delivering them. This ever-growing supply (and the likelihood of products/suppliers being of variable quality), coupled with a fiercely competitive marketplace could lead to security shortcuts or gaps that provide an easy route for attackers. However, this is not an issue of the automotive industry – we see similar challenges in mobile, computing and IoT markets.

5.       Fact: Malicious software can affect not only smart cars but also smart traffic and cities

Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communication is getting more and more popular. Essentially, daily and routine things like traffic lights or information messages on what is happening on the road could be hacked – we have even shown examples of this by controlling ‘smart' traffic lights and other traffic equipment.

6.       Fact: Cybercriminals can use a car's infection for money extortion

Indeed, another risk would be ransomware – like WannaCry or exPetya. It can encrypt or modify software components of the, meaning it won't move without paying a ransom. Moreover, this could likely become one of the most popular monetization vectors for criminals.

Conclusion: What Can Be Done

It is crucially important for automotive manufacturers to make security a priority. Addressing the above-mentioned risks involves integrating security by design as standard, focused on different parts of the connected car ecosystem. Defensive software solutions could be installed locally on individual electrical components— for instance, the brakes — to reinforce them against attacks.

Next, software can protect the vehicle's internal network as a whole by examining all network communications, flagging any changes in standard in-vehicle network behavior and stopping attacks from advancing through the network.

Overarching this, a solution needs to protect all components that are externally connected to the Internet. In the near future, we should start to see some of these industry requirements appearing, alongside the first cybersecure devices for remote diagnostic and telematic data.