Under the bonnet of automotive security
Art Dahnert, Cigital
The security and privacy implications for the automotive industry are growing as cars increasingly become computers on wheels, writes Art Dahnert a consultant at Cigital.
Depending on whom you ask, a modern car may have up to 100 miniature computers on board, running millions of lines of code. Each of these computers can be connected to a handful of sensors, collecting tiny bits of data and sending it back and forth across various connections within the car’s network.
Here are just a few examples:
- EDR (Event Data Recorder, an airbag system) records speed, steering, and seat belt information
- IVI (In Vehicle Infotainment) system captures GPS coordinates as well as your final destination (via the navigation system)
- Bluetooth transmits hands-free communications between mobile devices and the vehicle’s IVI
- Telematics systems like OnStar or Bluelink track GPS location, vehicle speed, current gear, and lock status – everything needed to locate a lost vehicle
- Sensors like TPS (Tyre Pressure Sensor) and other fluid level sensors monitor numerous metrics to assist with routine vehicle operation
Most of this data is forgotten when you turn off the key and exit the vehicle; however, some of this data lives beyond the trip to the supermarket. And almost all of this information is available directly to the manufacturers if the vehicle is one of the more modern connected cars available today.
Every bit of data is also available to interested third parties with a little bit of software and proper documentation, such as the corner mechanic who needs to diagnose that pesky check engine light. Those interested parties are not always in the same location as the vehicle, in fact, they may even be halfway across the world such as with customer service for the telematics feature.
In some ways a modern car can be thought of as an Internet of Things (IoT) all unto itself, a mobile ecosystem where security and privacy have taken centre stage as your data is increasingly captured as you drive and then sent up to the cloud where it can be accessed by a whole range of applications and individuals. Add to this the ongoing revelations of serious technical security vulnerabilities in cars manufactured by well-known brands – just search “car hacking” – and one might get nostalgic for the days where the most advanced onboard car technology was AM/FM radio.
Taking the wheel on security and privacy
Clearly it’s becoming more and more important for auto manufacturers, as well as the rest of the industry – including insurance providers – to take their share of responsibility as stewards of this data.
Thankfully, there is a great deal of established practice around security and privacy in the world of technology, based on – sometimes painful – lessons learned in other industries over the years. Here are some key observations from our experiences in assessing technology security and privacy over the last 20 or so years:
- Don’t collect data you don’t need in the first place. Many organisations are coming to the realisation that the liability of a data breach is not worth the actual value they get from collecting the data in the first place.
- Tell the user what you’re collecting and how you plan to use it in simple terms.
- For data that is collected, follow recognised practices for storage, security and retention.
- Give everyone an opt-out, in particular an “erase my data globally” (on-car, in the cloud) option in the case that the user no longer uses the service, such as when the car is sold to someone else.
- Use recognised security controls in the design and engineering of auto technology, including strong authentication and encryption. Look to today’s mobile devices as an example, with their lower prevalence of malware than older PCs, integrated fingerprint authentication, encryption even governments have difficulty breaking, and so on.
- Ensure that recognised security practices are implemented during the development of such technology, such as threat modelling, code review, and security testing. Consult existing approaches like Microsoft’s Security Development Lifecycle for examples.
- Be prepared to respond to technical emergencies, in the field. Establish a technology security response capability, and ensure all software/firmware can be updated quickly and efficiently across the fleet.
IoT technologies have enabled the automobile to become connected in an unprecedented way, moving us closer and closer to an automated driving society. We need to make doubly sure these new applications provide maximum security and privacy, because the stakes are raised in driving scenarios where life safety is the primary concern. Fortunately, the auto industry can leverage examples established in other industries, like banking and telecoms, who have helped establish a common body of knowledge about information security and privacy based on their own trials by fire of the last several years.