Editor’s Note: Irrespective of level of luxury, the regulatory implications of automotive cybersecurity vulnerabilities, has been discussed in the literature.
From: Public Service Europe
by Alex Fidgen
Car manufacturers are too focused on the latest gizmo rather than ensuring automotive security is tight enough to stop cyber criminals hijacking onboard computer systems – claims IT expert
Cars have become a genuine target for cyber criminals as it is possible for attackers to gain control of a vehicle while it is in motion, with disastrous consequences. It is feasible that the exploitation of a number of embedded devices within a car might allow someone to gain control of the vehicle. For instance, this would have serious consequences if the brakes were applied at high speed.
Recent events, such as Volkswagen allegedly suing the University of Birmingham to stop it from publishing how it had hacked anti-theft systems on luxury cars – including Lamborghinis and Porsches – have triggered the debate on whether car manufacturers are paying enough attention to the computer security standards applied to their latest models.
This is particularly worrying as with the gradual incorporation of more functionalities and information technology control systems into automotive design, more vulnerabilities are expected to be identified. This could leave the industry open to serious consequences that could potentially have a direct impact on the safety of the passengers.
More to the point, new functionalities being added to car media systems seem to have increased the attack surface area for any criminal capable of finding vulnerabilities. The problem, as it appears to be, could be that most car manufacturers seem to have overlooked security when designing these systems.
Vendors should not try to block security research. Instead, they should work together with the researchers to understand the nature and potential consequences of the threats they are facing. And most certainly, resorting to legal action to block such details from being published is the wrong approach. There are real concerns about the attitude of Volkswagen, given the company appeared to be trying to suppress this information from being published rather than working to rectify it.
Historically, there is a long track record of companies using legal action to try to prevent vulnerabilities from being understood. This has proved to be highly ineffective as in most cases the security community was able to obtain the information through alternative research teams.
In this particular case, VW has only highlighted to the criminals out there that the problems were likely to be genuine and important, so the damage has already been done. This is critical, and manufacturers should instead incorporate strong security research in the design process.
Car manufacturers do not seem to have considered the security threat when using embedded computer systems. Cars are becoming increasingly computerised, particularly supercars which sell for hundreds of thousands of pounds. But not enough thought appears to have gone into securing the systems which leaves the cars wide open to theft and the misuse of computer information.
Such IT vulnerabilities could potentially have very serious impact, both from security and financial perspectives, as cyber criminals target companies on a daily basis. It is a very competitive industry, and car manufacturers continually try to upstage each other with the latest computer gizmos for vehicles. They are on a never-ending treadmill to try and keep ahead and offer their customers the latest technology. However, they now need to take a step back and look at how security should be embedded.
From a customer point of view, it is not just about the car being stolen. It is about the owner’s personal information being stolen from mobile phones and other devices that are linked to the cars on board computer systems. From the manufacturers’ perspective, it is about the latest gizmo being stolen by competitors.
The automotive industry, as well as any other businesses that have not traditionally been hit by cyber-attacks, need to learn quickly from other industries that have been facing this kind of security challenges. It is a very complicated picture but the end impact to any business can be substantial. Companies, in general, have to change if they want to protect information critical to the future profitability of their business.
Alex Fidgen is a director at the consultancy firm MWR InfoSecurity
Leave a Reply