by Giuseppe Serio, IBM Global Solution Leader for Connected Vehicle Security
I’ll never forget my emotional reaction to the now-famous hack of an Internet-connected vehicle. The morning after I’d read about it in the media, I stood next to my car, needing to drive to the office but doubting whether it was a good idea to open that car door, sit down on the driver’s seat and start the engine, as if nothing had happened.
My thoughts swirled around how two researchers could hack into a passenger car, take control and do all sorts of scary things with a “victim” on board. Had some invisible attacker already identified my car or, even worse, myself as an interesting target to attack?
As a young child, I had often played around with a radio-controlled toy car, but I would never have imagined that one day this would turn out to be possible with a real car.
So how could a hacker take control over a vehicle in the first place?
Connected cars invite new risks
The answer is quite simple. It’s the same kind of cyber challenges and issues we face with computers as they become more connected to each other and to the external world (i.e., the Internet). Gartner estimates that by 2020 around 250 million cars will be connected to the Internet.
And it’s not just about “connected vehicles.” The fancy features that consumers nowadays expect a car to have (Wifi, Bluetooth, various sensors and connectors, etc.) add an unprecedented cyber-physical attack surface. While no one would leave a personal computer or tablet without surveillance, a car is frequently left outside alone and available for attacks.
The connectivity, per se, is not the real culprit. Rather, it’s the ability to connect to the in-vehicle network that opens a plethora of attack surfaces. This is because the software, which is driving about 80 percent of the innovation in a modern vehicle, is never totally secure. It is designed by humans – and humans make mistakes, no matter how hard they try. Software will always have potential vulnerabilities in its source code, and over time, tools or methods will emerge to exploit them. Any tech savvy person could break in just to play around with things out of “curiosity”. Or worse, a criminal, terrorist or other type of organization could exploit these vulnerabilities for more sinister goals.
The bad news is that with vehicle connectivity we have entered a new dimension and passed the point of no return. Our automobiles are – and will be from now on – perpetually exposed to security and privacy vulnerabilities and therefore potential attacks. While we have learned to accept and deal with similar challenges in the classic enterprise or personal IT space, we now need to confront these realities for vehicles too.
Rethinking how vehicles are made
The automotive industry’s challenge for the next few years is twofold: On one hand, OEMs must manage the long lifecycle of vehicles they’ve already delivered, which likely means potential vulnerability for another 12 to 15 years. Meanwhile, on the other hand, they need to fundamentally change the way vehicles are designed, built and operated – with security and privacy concerns addressed at their core.
As the image above shows, a vehicle is a complex assembly of parts and components from dozens of suppliers. Only about 30 to 50 percent of a modern vehicle is typically built by the OEM itself. Designing security and privacy in from the beginning implies understanding the end-to-end attack surface of all parts and components and implementing the necessary processes, procedures and protocols to mitigate the final product’s exposure to cyberattacks.
In the automotive ecosystem, the connected vehicle is the flip side of the Internet of Things (IoT) coin. The vehicle is where everything converges – the automobile, the infrastructure and the consumer. You better want to have that secured.
However, price pressure and drilling everything down to unit costs could cause security and privacy to be designed and implemented unilaterally by suppliers, rather than in an integrated fashion by the OEM, resulting in a more vulnerable end product. This is the real challenge to overcome and requires a mind-shift: Security and privacy must be an integral part of the product and not just a feature that you can buy.
Solo may mean so long
As its formerly mechanical product evolves more and more into a very complex and sophisticated software product, the automotive industry needs to learn to think and act like a software company. The IT industry has endured the pain of cybersecurity for the last 20 years and can offer help.
The real question is whether OEMs will take up this fight on their own, in their own silo, as they have historically done – or collaborate. Even among their peers, obscurity has been always the mantra – to keep intellectual property secret. It’s time, however, to tackle the challenges of cybersecurity for the connected car not in isolation but as a joint effort across the entire automotive ecosystem. Are you ready?
- IBM Center for Applied Insights study: Digital disruption and the future of the automotive industry
- Automotive News webcast on study
- Read more connected car posts on the IBMCAI blog