Vital cybersecurity areas automakers must focus on
In January, a teenager in Germany found a vulnerability in third-party software that let him remotely start 25 Teslas in 13 countries, find their locations and determine whether anyone was in the car.
He then was able to access owners’ emails. Hacking an iconic Tesla is way cooler than cracking into some corporate database, right? Luckily, David Colombo is a security researcher, not a criminal. Cars are an attractive target, and they’re vulnerable. Researchers have identified vulnerabilities in connected cars for half a decade or more.
While cyber-security has become a strong focus for automakers and their partners, the threat remains high. UN Regulation No. 155 for wheeled vehicles, promulgated in March 2021, identified 69 potential vectors of attack that manufacturers are required to secure. Numaan Huq, senior threat researcher at Trend Micro, says his team has found even more.
One example is cameras and image processing, especially for autonomous systems. He points out that simple hacks such as putting a sticker on a speed sign can confound an AV’s ability to function correctly. “If you have a fleet of vehicle mostly relying on image processing, you’ll have problems,” Huq says.
Lessons from IT
“The car is transforming from a standalone device to a supercomputer with wheels connecting to backend systems and communicating in real time. This is very similar to when computers came out and began to connect to the internet. Just as computer applications eventually moved to the cloud, it’s similar with connected cars. So, we can definitely apply what we’ve learned from the IT world,” says Yurika Baba, solutions manager for Trend Micro.
Securing everything from the vehicle to the cloud to the factory to customer databases is a huge and gnarly task. Huq says that the most critical areas, which are not the low-hanging fruit, are denial of service attacks, hosted third-party software like that shown in Colombo’s demo, reaching the car via back-end servers and vulnerabilities in software and hardware.
Says Baba: “Threat intelligence, how to detect and how to protect, has to be bridged between automotive and IT security. While there are automotive-specific protocols and techniques and procedures, both IT and automotive have to be on same side.”
Better access models
Another lesson from the IT world is building out access models, according to Yash Prakash, chief strategy officer for Savynt. Just as IT departments set up different levels of permission and tight credentialing for employees, automakers should consider the different roles that might need access to automotive data or systems.
It’s difficult enough to transfer access from the first owner to the second when the vehicle is resold. Car sharing adds more than another level of complexity. Then, there are all the third parties that might need access: the dealership, independent mechanics, fleet owners, friends and family of the owner, the manufacturer itself.
To read the complete article, visit TU-Automotive.