Does entertainment trump security in connected cars?

Reduction in sales and damage to brand are potential bottom line impacts that auto manufacturers need to be concerned about when it comes to security risks and connected cars

Does entertainment trump security in connected cars?
REUTERS/Gary Cameron/Files

Reduction in sales and damage to brand are potential bottom line impacts that auto manufacturers need to be concerned about when it comes to security risks and connected cars. 

According to a newly released IOActive report , "Commonalities in Vehicle Vulnerabilities", authored by senior security consultant Corey Thuen, "39 percent of vulnerabilities are related to the network. This is a general category that includes all network traffic, such as Ethernet or web."

Using security best practices publications to design connected cars can mitigate up to 45 percent of vulnerabilities, yet OBD2 adapters, telematics systems and other embedded devices remain security problems in the modern vehicle.

System design, engineering problems, and problems in deployment mechaninsms and testing are the root causes of what IOActive identified as the top eight vulnerabilities: Vendor-introduced backdoors, vulnerable dependency, incorrect utilization of the principle of least privilege, authentication systems requiring hardcoded credentials, accidental information disclosure, coding logic errors, buffer overflows, and web vulnerability implementation problems.

[ MORE ON CSO: 6 high-tech ways thieves can steal connected cars ]

The embedded nature of these vulnerabilities minimizes their likelihood of exploitation to some degree because hackers need to be highly skilled and sophisticated in order to know where to look for them. However, Thuen said, "Many of the IoT devices use the same types of technologies, and as more people interact with IoT, the more they will understand how to interact with the vehicles."

While there are incredibly innovative capabilities being designed, these systems are also exposing cars to a lot more connectivity because every added feature adds an additional attack vector to the car.

Most people don't want to take control of a car and crash it. "Although vehicles themselves don't align well with traditional hacker goals, like money, there have been attacks in the wild," Thuen said. The most notable are those thieves who use key fobs to hack the remote keyless entry system.

Those motivations are different. The goal is to steal a car. If malicious actors are gaining control of vehicles with the intent of causing harm, these events remain unreported. What we have seen from notable automotive security researchers, Charlie Miller and Chris Valasek, are demonstrations of third parties being able to gain control of a vehicle after extensive hours of research.

Sam Abuelsamid, senior research analyst at Navigant Research, said there are two of those demonstrations that are most likely to cause a problem. "A lot of OBD2 adapters are often equipped with cellular radios that transmit your driving behavior back to insurance companies. Not all of these adapters are made with the same level of security and care," Abuelsamid said.

An additional vulnerability common in connected cars is the vehicle telematics systems, like OnStar or UConnect. "Most manufacturers now offer cellular radio built into the car for remote locking and unlocking or stolen vehicle recovery. That was the big story last year. They figured out how to remotely access the built in cellular model in the vehicle," Abuelsamid said.

The trick for connected cars is that in order to enable the features customers want, "The communication system has to be able to talk to the rest of the vehicle network," Abuelsamid said. Depending on how the security is set up, attackers would use the same attack vectors as they would when compromising any other network.

"The systems are publicly facing, so it's not like a website. Vehicle connectors are not easy to find in the first place. They are typically trying to find an IP address or phone number for the data system in the vehicle to determine where the communication device is on the network," Abuelsamid said.

Where a few years ago, manufacturers had all systems for anything computer run made on the same package, they now understand the vulnerability in these major points of entry and are making greater efforts to harden their security operations systems.

Nathan Wenzler, principal security architect, AsTech Consulting

"The problem," said Nathan Wenzler, principal security architect at AsTech Consulting, "is that the industry is not known for moving quickly. They are redesigning with software that they aren't really familiar with."

To be fair, auto manufacturers are burdened not only with manufacturing a vehicle, but also with being security experts. "They are asked to be software developers, database managers, SaaS managers. They go from making a car to being a Google," said Thuen.

There is no turning back from that demand now, so Wenzler said, "The  responsibility lies with the manufacturers to design software systems to be secure and protected. They are internet able or internet connected. A lot of developers think that because it's a stripped down version of an operating system that makes it secure. No, you need a lot more than that."

While there is quite a bit of consumer driven angst that has motivated car companies to build systems that are secure, there is still much that needs to improve. "The key thing to stress, though, is that there is no terrible panic. I don't see this as a massive public safety issue," said Wenzler.

[ RELATED: 4 simple ways to secure your Internet-connected car ]

"They need to write proper code and build security teams to test the product, to get in and try to break these things to build systems that are secure," Wenzler said.

Richard Wallace, director, transportation systems analysis at the Center for Automotive Research, also noted that poorly written code allows easy access for malicious actors. "If your network (CAN) is protected, then you might avoid additional vulnerabilities, but CAN was not designed with network security in mind. Many vulnerabilities result from poorly written code. Other vulnerabilities could be in the supply chain: components or subcomponents supplied that lacked adequate security or such security was not even a requirement from the OEM," Wallace said.  

Because there will always be vulnerabilities, the automotive industry needs a detection and reporting system in the loop, as well as over-the-air (OTA) update capability for fast response.   

Experts agree that the best solution is to build stronger security upfront. But, if installing better cybersecurity is the best way to mitigate risks, why isn't that happening?

"Much of it is organizational culture," Wallace said. "They never had to before recently, thus there is no history. They are dealing with complex supply chains in which components with software and ECUs are designed and made by tier-2 and tier-1 suppliers, not the OEMs."

To Thuen's point about the demands on modern car manufacturers, Wallace said, "There are large amounts of code in new vehicles. They expect an error every so often, but it is almost impossible to find them all--even if you tried--due to near-infinite permutations in possible commands."

Continued efforts to instill a culture of security by design, rather than security as an afterthought will help to mitigate current and future security risks. "The automakers have set up an automotive info sharing and analysis center (ISAC) to share information about vulnerabilities and develop best practices," said Abuelsamid.

While they can’t guarantee a complex system is 100 percent secure, they are working on being resilient. If they can better detect a threat and bring it to a stop, they can avoid an accident.

Fortunately for auto manufacturers, "There are a number of startups that are developing solutions to firewall the vehicle and to detect any incoming messages and anything malicious going on inside the vehicle network," said Abuelsamid. 

In the past, the auto industry as a whole seemed to be in a state of denial about security being an issue. "The attitude has really changed inside the industry," said Abuelsamid, "and they are now taking security very seriously."

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)