The reality of hacking threats in connected car systems
• As cars become more connected, they are also becoming more vulnerable to hacking and data theft.
• Connected vehicles use new technologies such as over-the-air updates, but these updates also expose the software to hacking and safety hazards.
• Consumers should be aware of the cybersecurity risks associated with connected cars and take steps to protect themselves.
• Infotainment systems in modern vehicles can pose cybersecurity risks, as they provide connectivity options that hackers may exploit to access and control vehicle functions.
• Automotive manufacturers are adapting to comply with evolving cybersecurity standards, using new processes and technologies to keep their vehicles secure.
• Managing cybersecurity across the automotive supply chain is a challenge, as vehicles are made of components from different vendors with different security standards and practices.
• Government regulations, such as those issued by the United Nations Economic Commission for Europe (UNECE), are shaping the automotive sector’s cybersecurity approach.
• The automotive industry should be prepared for emerging cybersecurity threats, particularly those related to vehicle autonomy and the risk of human life in the event of a vehicular hack.
• The question of accountability in the event of an accident caused by an autonomous vehicle is still uncertain and varies across different legal systems.
The reality of hacking threats in connected car systems
With the integration of sophisticated technologies like over-the-air updates and increased data connectivity, cars are no longer just modes of transportation but also hubs of personal and operational data. This shift brings forth unique cybersecurity challenges, ranging from hacking and data theft to safety hazards resulting from potential system breaches.
In this Help Net Security interview, Ivan Reedman, Director of Secure Engineering at IOActive, discusses how manufacturers, government regulations, and consumers are adapting to these new challenges.
How has the rise of connected vehicles transformed the landscape of automotive cybersecurity?
The automotive industry faces new cybersecurity challenges as vehicles become more connected. Connected cars are more exposed to cyber threats such as hacking and data theft. All parties in the manufacturing supply chain should follow key principles for vehicle cybersecurity, such as organizational security, risk assessment and management, and product aftercare and incident response. Connected vehicles also use new technologies such as over-the-air updates, which enable remote software updates. However, this also exposes the software to hacking, which can pose serious safety hazards. All parties in the manufacturing supply chain must ensure that vehicles are secure from cyber threats. Several standards have been created to help set a global standard for vehicle security.
What should consumers know about the cybersecurity risks associated with new cars?
Connected cars pose new cybersecurity challenges for the automotive industry. As cars become more connected, they are more exposed to cyber threats like hacking and data theft. Consumer expectations for vehicle functionality have also led to similar development practices as consumer technology, such as frequent bug fixes and feature rollouts that may not be fully tested. Some of the main cybersecurity risks for connected cars are remote hacking and data privacy concerns. Consumers should be aware of these risks and protect themselves.
How do infotainment systems in modern vehicles pose cybersecurity risks?
The modern vehicle infotainment system offers and uses various connectivity options like wifi, bluetooth, usb, or cellular. These systems expose many interfaces that hackers may be able to exploit to access and control vehicle functions remotely, endangering human safety. Infotainment systems also store personal information, such as personal contacts and location data, which can attract cybercriminals. The vehicle architecture determines how well the critical systems are protected from such breaches.
How are automotive manufacturers adapting to comply with evolving cybersecurity standards?
Automotive manufacturers are adopting new processes and technologies that meet the changing cybersecurity standards to keep their vehicles safe from cyber threats. For instance, the International Standards Organization (ISO) and SAE International have issued a joint standard for automotive cybersecurity engineering, which outlines a systematic process to integrate cybersecurity into the vehicle design. Moreover, the United Nations Economic Commission for Europe (UNECE) has enacted new cybersecurity regulations for vehicles, mandating manufacturers to get a Certificate of Compliance for the cyber security management system (CSMS). Automotive manufacturers are also using new technologies such as over-the-air updates, which enable them to update software remotely. However, this also exposes the software to hacking, which can pose serious safety hazards.
What are the main challenges in managing cybersecurity across the automotive supply chain?
Vehicles are made of components from various vendors, who may have different security standards and practices across different regions and cultures. Without clear and strict security requirements from the vehicle manufacturer, and thorough testing to ensure compliance, the vehicle’s security posture will vary across its components. One of the major supply chain risks for the automotive sector is the infotainment systems and connectivity technology provided by software vendors.
How are government regulations shaping the automotive sector’s cybersecurity approach?
The UNECE has issued new regulations that mandate original equipment manufacturers (OEMs) and their suppliers to adopt comprehensive cybersecurity solutions to prevent and counter cyberattacks. The regulations cover four aspects: cyber risk management, vehicle security by design, detection and response capabilities, and secure software updates without compromising vehicle safety. The regulations are expected to take effect from July 2024. Several ISO/SAE standards have been created to address cyber security threats.
What emerging cybersecurity threats should the automotive industry be prepared for in the near future?
The risk to human life resulting from a vehicular hack is the most serious concern and emerging threat to the automotive industry, followed by data theft. While both are a constant threat, vehicle autonomy brings new and evolving challenges in terms of safety and responsibility for data theft. Who should be held accountable if an autonomous vehicle causes an accident? Different legal systems have different answers to this question, and it has implications for financial liability.