Automobiles are probably not what comes to mind first when thinking about major cyber security risks or cutting-edge devices and technology. After all, cars have been around for more than 100 years and they remain by and large “offline” – mostly unable to communicate with the billions of IP-enabled devices around the world. Some recent models have come equipped with onboard 4G LTE modems, but these vehicles are still very much the exception. Overall, automobiles are more tapped into decades-old infrastructure such as gas stations and roads than they are into the emerging Internet of Things.
The connected car as a security concern
While the traditional gas-powered car, much like the feature phone, probably isn’t going away for good anytime soon, big changes are ahead regarding how vehicles operate as well as how they interact with other devices, sensors and facilities. The addition of embedded cellular connectivity in more cars, for instance, along with the presence of remote access capabilities in critical automotive infrastructure, such as automated tank gauges at gas stations, may create new attack surfaces for cyber criminals.
Moreover, the prospect of innovations such as driverless cars raises the stakes for secure software and firmware in all vehicles. Securing automobiles from cyber crime may someday become at least as relevant as protecting a PC, smartphone or tablet from malware and Web attacks is today, especially considering that a cyber attack on a car jeopardizes physical safety rather than just abstract information.
“The modern car is not just a mechanical machine, it is also a computer that is online as much as a smartphone or PC is,” observed Rainer Link, Senior Threat Researcher at Trend Micro, in a recent TrendLabs blog. “Therefore, it is something that users will have to protect moving forward, and car manufacturers should move to secure their products before any real-world attacks become apparent.”
The gas station example: Thousands of facilities at risk of unauthorized access
Let’s start at a place that isn’t exactly synonymous with IT or cyber security: the gas station. While connected cars are still making their way into the mainstream, gas stations already depend on technology that could be vulnerable to exploitation over the Internet.
More specifically, it was recently discovered that the automated tank gauges at roughly 3 percent of the 150,000 gas stations in the U.S. lack basic password protection for keeping out intruders. Accordingly, the control ports in these ATGs could in theory be attacked, causing their respective stations to essentially shut down because of erroneous tank readings.
This exploit hasn’t been definitively observed in the wild, perhaps since a successful instance of it would likely be indistinguishable from technical failure. All the same, it is something for security teams everywhere to keep in mind as they consider how to protect a growing number of sophisticated devices.
The vulnerability is also similar to something that has been happening for years to another part of the U.S. transportation infrastructure: hacking of electronic road signs. In most cases, these incidents have limited impact on safety – e.g., an estimate of how much time commuters may have until reaching a certain city, or a message about impending road work, is replaced by a garbled message. They do demonstrate, however, the risks of connecting so many previously offline devices and facilities to the Internet.
Connected cars face similar risks from Bluetooth, Internet connectivity
Cars, like gas station ATGs or anything else that connects to the Internet, become more vulnerable to attack as they become increasingly reliant on IP networking. Last year, Wil Rockall of KPMG told Infosecurity that the typical connected car had more than 50 access points that could be exploited by cyber criminals.
The evolution of car design, with wireless networking becoming a more mainstream option, has already changed the face of car theft. Rockall stated that, as of 2014, three-quarters of vehicle heists in London happened because of electronic manipulation rather than the old fashioned lifting of someone’s car keys.
In addition to cyber security firms and automobile manufacturers, governments around the world have also taken interest in the new risks that surround the connected car. U.S. Senator Edward Markey has called for collaboration between carmakers and the cyber security community as a way of ensuring the safety and privacy of all drivers.
Markey cited the rise of Bluetooth and IP connectivity in cars as pivotal changes that necessitated overdue action on in-vehicle security. Certainly, one could argue that the relationship between automotive functionality and cyber security has been important for years, in light of a 2011 study from the University of California, San Diego that identified Bluetooth, CD players and radios as potential attack vectors.
One could go back even further, all the way to the introduction of an emissions reduction law in California in 1961, to find the origins of computerized cars. Many vehicles built in the years after that law’s enactment shipped with electronic control units that helped regulate their exhaust. With time, these dedicated units became integrated into the general functionality of cars and became the brains behind air bag systems, GPS and braking.
Looking ahead at what’s next for cars and cyber security
The general computerization of cars seems to be pressing ahead. Technology firms such as Apple and Google have both ramped up in their efforts in the automotive space, working on projects such as self-driving cars and onboard operating systems.
Internet connectivity and cross-functionality with other devices will become more common in consumer vehicles in the years ahead. It will be a challenge to ensure security in these automobiles, but there’s also an opportunity – especially since the field is so new – to settle on best practices early on.
Something like an intrusion prevention system could be implemented in a vehicle to ward off threats, although such an implementation would require regular updates. Cars such as the Tesla Model S have proven that software/firmware updates can be managed somewhat like they are on a computer, so there’s cause for optimism there.
There could also be forms of two-factor authentication that could be used to secure ignition and startup. If cars are really set to become computers by another name, then there are plenty of possibilities for hardening them against threats.