The average high-end car runs on more than 100 million lines of code. There are countless systems running in parallel to manage the steering, braking, environmental controls, infotainment system, headlights – you name it.
Data is carried not only around the car itself but also transmitted and received via the internet. ‘Connected vehicles’ are increasingly becoming the norm. But like any IoT device, there are risks associated with hooking something up to the internet. Especially when that thing weighs over a ton and can travel at up to 150 miles per hour.
Unfortunately, in their rush to bring innovations to market, engineers and developers often overlook security flaws and vulnerabilities. This has certainly been the case with the IoT, which has created a veritable playground for ambitious hackers who want to make a name for themselves.
DVD players have been recruited into one of the largest botnets of all time. Baby monitoring systems have been hijacked, allowing hackers to shout obscenities at toddlers in their cots. And Jeeps have been remotely hacked into and driven off the road, leading to the recall of 1.4 million cars.
But what is the threat landscape for the automotive industry? And what are automotive professionals doing in response?
The automotive threat landscape
In many ways, the cybersecurity outlook for the automotive industry is much like the rest of the IoT. Manufacturers and researchers alike are building databases of known vulnerabilities and working to resolve them as quickly as they can. This may seem backwards and in many ways it is. But this is fairly standard cybersecurity protocol. It’s almost impossible to create a totally bombproof system before you release it to market.
Despite the enormous potential for harm, most of the recorded hacks against connected vehicles have been “white hat” and not malicious. And the majority of the news coverage of vehicular cybersecurity threats to our safety has been speculative. However, this could quickly change. With new zero-days being found each week, it seems like a matter of time until a threat actor ups the stakes and puts human safety at risk.
“Our cars carry an increasing amount of personal data.”
There are other, less headline-grabbing, risk factors to consider. Our cars carry an increasing amount of personal data, not only about ourselves but also all of the contacts in our phones and email accounts. Connected vehicles are devices or endpoints in much the same way as phones and laptops. And like phones and laptops, they can be hacked and the data stored in them removed or destroyed. A key challenge for the automotive industry is securing the infotainment and telecommunication systems which carry this personal data.
A study of 600 automotive professionals found that 63% of respondents weren’t proactively testing the technology they were developing for cybersecurity flaws. This suggests a high proportion of on-board wi-fi, bluetooth, infotainment and telecommunication systems may not be secure. Which is an issue for car owners – and car sellers. There are concerns that owners aren’t being educated on how to cleanse their personal data from their vehicles before they sell them.
And what about the back-end systems, such as the software that carries performance data back-and-forth between the car and its manufacturer? Or the software that patches and updates the vehicle’s onboard applications? Or monitors the car’s GPS positioning? As connected vehicles become more connected, manufacturers find themselves with an ever-growing list of possible security flaws to address. And threat actors find themselves with an ever-growing list of potential vulnerabilities.
What’s to come?
There are a whopping 26 billion devices connected to the internet. That’s three and a half for every person on the planet. By 2025, that figure is expected to triple, despite the cybersecurity concerns that have been raised and demonstrated to date. More connected devices, including cars, means more potential vulnerabilities that can be exploited by threat actors.
“The government has said it expects the first driverless cars to be on the road by 2021.”
And for the automotive industry, the stakes are getting higher. The government has said it expects the first driverless cars to be on the road by 2021 – although some experts think this is unlikely. In either case, the government has already published cybersecurity guidelines for the UK’s first generation of road-worthy driverless cars. And with good reason, because the potential for disaster is high. It’s one thing having a hacker assume control of your vehicle remotely while you’re driving. It’s another for a hacker to take control of a car that is supposed to be driving itself. You may not even realise it has happened.
To date, there haven’t been any ransomware attacks on connected vehicles “in the wild”. However, it’s easy to imagine how it could play out. You jump into your car and start the ignition. Nothing happens. Seconds later a message flashes up on the screen, demanding £5,000. If you don’t pay, the car’s onboard computer will be scrambled and all data wiped. You try to get out but the doors are locked. What do you do?
What does this mean for the automotive industry?
Automotive cybersecurity is quickly becoming a field in itself, with its own star companies and conferences. However, when it comes to cybersecurity, the automotive industry is still in its infancy and already on the back foot. The scale and frequency of cyberattacks continues to increase year-on-year. And with cars becoming ever more connected, we can expect the number of cybersecurity incidents to rise, as well as the level of investment and heed paid to cybersecurity by car manufacturers.
The challenge for cybersecurity professionals in the automotive industry will be making cybersecurity more of a priority during the R&D process. There is always a trade-off between security and innovation. It would be unrealistic to expect manufacturers to halt the sale of connected vehicles – or the development of driverless ones – until they are 100% secure. Sadly, no system connected to the internet can ever be 100% secure.
But the automotive industry will have to balance the need to innovate with the need to ensure that customers are safe. One serious incident could inflict massive reputational damage, as well as harm to drivers and passengers. As the market for connected vehicles matures, the balance will need to shift towards securing the vehicles that are already on the road.
This will require investment in the right people. The automotive industry lags far behind other sectors such as defence and infrastructure when it comes to cybersecurity skills. The fastest way to catch up will be to poach talent from industries with established cybersecurity talent pools. This will become increasingly important over the coming years as more stringent regulation is released on connected and driverless cars. Manufacturers who aren’t able to adhere may find their cars banned from driving on the roads or even having to be recalled.
For cybersecurity professionals in other fields, this may present opportunities. However, shifting into the automotive industry will require specialisation if you’re coming from a more typical network or organisational security background. If you’re considering a job move in the near future, click here to browse our open cybersecurity roles.
We’re running a series on industry specific cybersecurity concerns. In logistics, for example, a breach can completely halt world trade.
