Kevin Mahaffey
When you connect a car to the Internet, it is no longer just a car: It is a computer on wheels.
For years, the security industry has asked itself, “When will cyberattacks affect the physical world?” The connected car is a clear example of where this manifests, especially as researchers release new information about vehicles’ vulnerabilities, such as my partner Marc Rogers’ and my deep dive into Tesla’s systems, or the recent Jeep Cherokee analysis, wherein researchers breached the vehicle’s drive systems from the Internet, slowing the vehicle to a crawl on a highway. Fiat Chrysler has since recalled more than one million vehicles as a result, and legislation aptly named the “Security and Privacy in your Car Act” is currently in consideration by Congress.
When a car can search Google, send tweets and be remotely accessed from a smartphone app, that car has more in common with your laptop than it does the Model T. Securing the next generation of connected automobiles means redefining what it means for a vehicle to be “road-ready.” The road-ready vehicle of the future needs cybersecurity measures beyond the traditional physical safety measures taken today.
It is inevitable that automobiles — alongside every other essential technology in our lives — become connected. Given how important cars and trucks are to both individuals and the world’s economy as a whole, it’s entirely expected that attackers will focus their energy on disrupting vehicles’ (hopefully) well-designed systems.
Thankfully, nothing catastrophic has happened yet, and the auto industry is in position to take necessary action to get ahead of this problem. However, it needs to learn from the software industry’s experience on the front lines of the Internet, something most auto manufacturers have yet to do.
For example, as part of its mission to reinvent the automobile, Tesla has taken a software-first approach to its cars. Knowing that the people will expect their car to be connected to the Internet, the conversation internally never was “when these cars become Internet-connected,” it always was “how can we build a great connected car?”
As with any software-driven product, cybersecurity must be a deliberate investment. Today, the auto industry can take three specific measures to dramatically improve the cybersecurity of its vehicles.
First, vehicles need over-the-air update systems to avoid expensive and lengthy recalls every time a security vulnerability is found. Second, manufacturers must separate infotainment systems and the critical drive systems, tightly controlling communication between them, just as commercial airliners isolate inflight Wi-Fi networks from critical avionics systems. Third, manufacturers must assume that some attacks will succeed and secure each individual software component in the vehicle, so that if an attacker compromises a single system they do not automatically get access to the entire vehicle.
While the state of automobile cybersecurity would be substantially improved if all manufacturers implemented these guidelines, they are just a start. It takes years for a company to develop a strong cybersecurity culture; even with a strong internal cybersecurity team, that team must be supported by and integrated into the organization as a whole.
Further, companies with experienced security teams look not just inside the company for support, but outside to the global community of security researchers identifying problems — and hoping to get them fixed — ahead of criminals. For example, Tesla launched a “Bug Bounty” program to encourage external security researchers to responsibly identify and help fix any security issues they uncover. I encourage all other manufacturers to follow a similar path.
Consider the consequences if the auto industry does not get security right: Manufacturers may need to issue a recall for every software vulnerability found. Recalls are a long process, and software vulnerabilities become a substantial personal safety issue, even a national security concern, if not fixed immediately. Further, if the frequency of software vulnerabilities in vehicles is anywhere near that of PCs — monthly and even weekly in some cases — recalls quickly become impractical.
I sincerely hope that all auto manufacturers proactively address cybersecurity, starting with the guidelines above, to make automobiles one of the most secure pieces of technology in our lives.
Comment