New car firms such as Tesla are promoting increasingly high-tech features that require a connection to the internet, which has propelled cybersecurity forward as a major safety feature. Last year, Chinese security researchers from Keen Security Lab successfully managed to hack a Tesla Model S from 12 miles away. By focusing on Tesla’s on-board software, the hack targeted the car’s controller area network, or CAN bus, which connects the chips found inside the cars. In this hack, the Model S P85 and Model 75D were targeted. Tesla continued to make news in 2015 from cybersecurity safety concerns. In November 2016, hackers within one cybersecurity company was able to use the Tesla’s Android app as an entry point to successfully hack the vehicle. What’s more, using the features in the app, the hackers were able to locate the vehicle, unlock it and drive away unhindered.
As GM CEO Mary Barra said in a keynote speech, “A cyber incident is a problem for every automaker in the world. It is a matter of public safety.” As Tesla, GM and many others continue to release connected vehicles, the dangers are very real. In fact, more than half of the vehicles sold today are connected and vulnerable. This threat will only grow as manufacturers begin to release autonomous vehicles.
While gaining access to, and being able to control or steal, a vehicle such as a Tesla is disturbing enough, it raises several concerns about not only connected cars, but also the mobile applications that extend the features of these vehicles and others. In fact, mobile apps are quickly becoming the main target for malicious behavior. Over the last four years, there has been a 188 percent increase in the number of Android vulnerabilities and a 262 percent increase in the number of iOS vulnerabilities. In addition, according to Gartner, 75 percent of mobile apps would fail basic security tests.
Digging deeper, Veracode found that more than 80 percent of mobile apps on both the Android and iOS platforms revealed cryptographic implementation issues. Attempts to protect and then protecting poorly highlight the importance of updated training and tools to aid developers as they target secure and protect applications.
Recently, Android malware has become more stealth. Last year, in 2015, malware began to obfuscate code to bypass signature-based security software. Despite Google’s response to critical vulnerabilities and patches of critical issues in the Android OS, end users are still dependent on device manufacturers for these updates.
Tesla and other automobiles today can have the computing power of 20 personal computers and feature 100 million lines of programming code. While features such as web browsing, Wi-Fi access points and remote-start mobile phone apps, help to enhance the enjoyment of the vehicle, they also add more opportunities for advanced attacks. In real life, thieves are hacking keyless entry systems in the UK to steal cars, meanwhile, software recalls have doubled within the past year, and soon they will match mechanical recalls.
The mobile application industry is pushing forward a new level of interoperability that will require heightened security and privacy measures. App developers are in a position where they can reduce the number of vulnerabilities before the app ships. Auto manufacturers are also prioritizing cybersecurity as a major safety feature as cutting edge vehicles continue to compete with features requiring connectivity.