The auto industry reached an important milestone in 2020: more than half of the cars sold globally included internet connectivity as a standard feature. Modern cars have started to resemble mobile supercomputers, with each one containing millions of lines of code and able to process huge amounts of data. They’ve also begun integrating with the operating systems used by their customers on their mobile devices, with Ford the latest automaker to announce it will use Google Android to drive its connected systems. The automotive industry hopes to take advantage of this data to improve the driver experience and monetize the user insights this data reveals, but increased connectivity also comes with significant risk.
Connected car cybersecurity is under increasing pressure to cope with the improved capabilities of hackers. Here we’ll take a look at some of the biggest challenges facing connected car cybersecurity right now and in the months and years ahead.
Threats to connected car cybersecurity
Hackers are turning their attention to connected cars, as they have multiple entry points and there are several ways to profit from attacks. Since 2016, cyber attacks on connected vehicles have risen by nearly 100% annually, revealing major issues in securing the supply chain of connected components and the apps the vehicles use. The biggest potential threats to vehicle systems are: the car itself being stolen, user information being extracted via data breaches, and cars performing unwanted actions that threaten the physical safety of the driver and others.
Theft of connected cars
The increased computerization of cars was intended to make them more secure against theft, especially the move from physical keys to key fobs. However, security researchers quickly pointed out how these systems could be hacked. Unfortunately, these predictions have come true. Car thieves are now enjoying something of a golden age—thefts in the UK have increased 50% in the last six years, and major cities across the US saw major spikes in 2020, despite falls in most other crime categories.
The hacking of connected car security systems and the availability of cheap theft devices, even ones made using old Nintendo Game Boys, means that thieves can access nearly any connected car they want.
With large processors and multiple data receptors, connected vehicles have the potential to collect more personal information about their users than nearly any other connected device. Former Intel CEO, Brian Krzanich, predicted that vehicle connectivity would create a flood of data, with each car creating 40 terabytes of data for every eight hours spent driving.
Unfortunately, with seven different modes of connectivity and information being stored in unsecured repositories, this data is highly vulnerable to theft. A Washington Post investigation, for example, revealed how much personal data could be extracted from the second-hand infotainment computer from a Chevy. With more and more models being shipped with 4G or 5G connectivity, hackers don’t even require physical access to a vehicle to infiltrate it and extract private information.
Cars performing unwanted actions
The dystopian possibility of bad actors accessing a vehicle and taking control away from the driver has moved from action movies to the real world. One of the most famous examples of this was researchers hacking into and knocking out the transmission on a Jeep Cherokee while it did 70 mph on the highway. This led to Chrysler recalling 1.4 million vehicles.
The remote takeover of system functions is a particular worry for autonomous vehicles. Researchers have shown how the advanced driving assistance systems (ADAS) on a Tesla Model X could be fooled into swerving into oncoming traffic. Other research models have shown how autonomous vehicles could shut down New York if they were hacked and turned off in traffic.
For connected vehicles to reach their full potential as a technology, regulators and customers’ fears about their cybersecurity need to be allayed.
How connected car apps create vulnerabilities
A key thread throughout all of these potential threats is the vulnerability of the apps associated with connected cars. Software developers need to make connected car cybersecurity a top priority, but that isn’t always straightforward. Maintaining a large enough in-house security team to keep application security at the level needed might not always be a viable option for automotive manufacturers.
Applications are already the third most popular attack vector used to infiltrate connected cars. With thefts growing, apps are likely to become even bigger targets. Cybersecurity firm Kaspersky has also specifically warned of the dangers of connected car applications, identifying how they introduce some major flaws into connected car cybersecurity.
The various threats caused by insecure connected car apps include:
- Reverse engineering and tampering with apps to create fake, malware versions
- Investigating an app to discover unencrypted login details, data, or encryption keys
- Tampering with applications to insert phishing overlays on an app’s login screen or inject other malicious code
- Overcoming rooting/jailbreaking protections to use an app without security protections
- Reverse engineering to discover flaws in the connected car app’s security they can exploit
A security solution for connected cars
Bolstering connected car cybersecurity and keeping associated automotive applications safe from hacking requires multiple techniques to block and frustrate hackers’ efforts. These include technologies such as advanced code obfuscation and anti-debugging to prevent reverse engineering, integrity checkers and other anti-tampering measures, intrusion detection and response, and white-box cryptography to protect encryption keys. Intertrust’s suite of products helps automobile manufacturers keep data safe and their vehicles secure, allowing them to capitalize on this paradigm-shifting technology fully.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.