Aashish Sharma

@AshishSharma31

Motor Vehicle Hacking — A 21st Century Problem

The automotive industry has been getting a few perks from the advancing technology thanks to the technological revolution. One of the key technological advancements in the automobile industry is the connected car technology. This gives the car more functions than just take you from point A to point B. For instance, vehicles fitted with this technology will be capable of ordering meals/coffee, pay for the same, schedule for repair and maintenance at service centers, as well as communicate with the internet of things (IoT) enabled devices back in the house. All these perks however attract vices that can be deadly to users as well. Such advances make a connected car vulnerable to hacking.

According to forecasts on the Industry, an estimated 150 million or more connected cars will be on the road by the year 2020. Automakers are already rolling out new generation internet-enabled vehicles. Although this paves the way for exciting times ahead, automakers are still concerned about connected-car cybersecurity. Based on past experience with cybersecurity on mobile devices, personal computers, corporate networks, and even government agencies, anything connected is prone to cyber-attacks. Connected cars are therefore no different from all these. This only makes many of these systems more vulnerable to attacks than ever before.

To help reduce some of these challenges/risks in the automotive cyber security, vehicle manufacturers are partnering with 3rd party developers and OEM vendors to help address these security issues. Since these advances are still at infancy stage, requirements for smartphone applications and connected car OEM platforms are evolving rapidly. This article explores the five key requirements developers need (must be prepared) to meet to be able to penetrate the new markets.

1. Bluetooth Hardening

Bluetooth connectivity has been around long before onboard IoT systems were introduced in vehicles. This, however, makes it a prime target by cybercriminals. Most hackers understand how Bluetooth systems work and how they can be exploited. Bluetooth systems have however been getting upgrades since the first system was developed, with each version having better security and performance. Most Bluetooth systems however only receive remarkable improvements in speed, power consumption, and additional features while security in the same stagnates.

The newest Bluetooth version (V5.0), for example, offers 4 times the range of V4.2 at twice the speed. This is remarkable and especially where performance and expanded functionality is the issue, but not as good with security. This is also unlike earlier versions that were designed for short-range data channels, slow speeds, and weaker security protocols. Although newer Bluetooth versions are incredibly fast and reliable, the increased transmission range improves a hacker’s chances accessing the device, download private data, or even transfer malicious code at faster rates than before.

The newer Bluetooth V5 puts it in direct competition with Wi-Fi technology as it received a capacity boost of up to 800% transmission speeds. Although Wi-Fi technology is considerably more secure than Bluetooth, Bluetooth still dominates car-to-device connections in many connected vehicles today.

One of the main risks of using Bluetooth in connected cars is that hackers can take advantage of its weak security protocols to access control to other connected systems in the vehicle. For this reason, developers and car manufacturers have to create/develop a love-hate relationship with Bluetooth devices. Most manufacturers are forced to include new Bluetooth capabilities and features for their applications, many of which seek out and close vulnerabilities quickly.

Familiarity with new Bluetooth specifications when developing Bluetooth applications for connected cars is however not enough for all developers. Developers have to understand vulnerabilities that come with the same and close them immediately for optimal security. The only way one can create a secure Bluetooth application is only if he/she understand trending Bluetooth vulnerabilities and current research on the same.

2. OTA (Over the Air) Updates

Ensuring all systems are running on a current operating system and software holds the key to keeping computerized systems secure. That said, you don’t expect every connected car owner to show up in dealership shops to have their systems updated. It won’t also be practical for drivers to download these updates, or install them manually. A good example of this is individuals with computers running on XP — they don’t go looking for updates.

The only recommended/practical way to ensure these vehicles get regular updates is by enabling OTA technology or over-the-air updates. This allows built-in systems download updates wirelessly and automatically, thus keeping your systems up-to-date. For this reason, over-the-air updates in connected car versions are among the expected features as the industry matures.

It is the developers’ responsibility to ensure all their products get all important updates on time. The only feasible way to see this happen is by forcing automatic OTA updates on systems in these cars.

3. Regulatory Compliance

The U.S. passed a bill (the Spy Car Act 2015) that compels the NHTSA (National Highway Traffic Safety Administration) to enact guidelines governing automotive cybersecurity. The main purpose of this bill was to require automobile manufacturers to ensure automobile car security and privacy for all cars sold in the United States. The European Parliament has also adopted laws that focus on improved driver data privacy. These legislations are all meant to ensure consumer data isn’t misused.

With these regulations in place, automobile makers will have to accept requirements put in place by both OEM and 3rd party applications. For this reason, any developer will have to comply with both The U.S. and European legislation for their applications to be allowed in connected cars around the world. This therefore helps improve data security on connected cars.

4. Data Privacy

Aside from abiding by legislation requirements put in place to protect connected car data, developers still have a responsibility to ensure client personal information is well protected. This is particularly important for connected car applications that use sensitive personal information. Consumers today are more careful with personal data hence will do anything to ensure nothing puts such information at risk. For this reason, technologies used on connected cars need to be safe and secure, and most importantly, win consumer confidence.

According to Jake Braun of Chopper Exchange, most connected vehicle apps require users to enter personal information to enjoy the services offered. Users need to be sure their data is protected before using such services/apps. Common information required to access specific connected car apps include:

Personal info: Phone number, address, name, etc.
Account information for cloud-based services
Banking and other payment information
Medical information

Unless necessary, the only best way to keep a user’s personal information secure is not requesting it at all. If the user has to enter personal information on the app, he/she then needs to be assured it will be encrypted and secured while in transit and stored safely at the destination. Experts recommend a form of tokenization to ensure private data is secure. Keeping personal information while providing users access quality services through these apps is mandatory, hence an art that needs to be mastered by the developers.

5. Attack Capture Retention

Almost every developer is well aware of attack evidence capture. This concept capitalizes on collecting and storing operational data from a system to facilitate analysis of the same should there be an attack or system failure. In other words, think of it as a vehicle’s black box. This concept has been in play in the US since 2015 where all new cars have a system that records certain vehicle operation data using an EDR (vehicle Event Data Recorder). Such information is however only accessible to law enforcement agencies and insurance companies and can only be accessed if investigating an accident.

The EDR records a great deal of vehicular information including vehicle occupancy, acceleration, and speed, among many others. Just like an EDR, the Evidence capture feature is purposely built to capture any information related to cyber-attacks on the car applications and systems. Such measures are essential for they help application vendors to identify the breach, how it occurred, and other vulnerabilities the hacker might have exploited to gain access. Such information is therefore crucial for forensic analysis.

The main purpose of Evidence Capture gives an innovative developer two unique opportunities:

  1. Provide apps that include a built-in evidence capture feature
  2. Develop OEM-integrated and Stand-alone evidence capture solutions

Apps with this feature built-in are deemed to be approved by automakers much faster than those without. With this feature, developers can detect vulnerabilities and be able to close any loopholes before hackers can do any damage.

Developers capable of creating solutions to apps installed on Smartphone-based telematics platforms stand a huge opportunity with developing systems that can be integrated to OEM platforms. Such features will allow one to record any information related to network traffic, ongoing data transfers, device configuration, and any data that can be used to help reconstruct the events of an attack. Attack capture retention data can however be stored for minutes, hours, or even days and not for the long term. Keeping such data secure from hackers, is a problem developers have to solve. Cloud storage would seem an excellent option for storing such sensitive data.

How can to Help?

With connected cars becoming a reality, seasoned developers are tasked with the opportunity to develop better applications to ensure their applications are secure enough. Responding to both the challenges and opportunities require a combination of skill and expertise in the automotive industry, technology, cybersecurity, and IoT. Such is too much to ask for many development firms out there.

More by Aashish Sharma

Topics of interest

More Related Stories