Connected cars: fresh safety hazards on the road ahead

Advances in connected car technology are set to radically alter the future of driving for everyone. Among the promised benefits is the ability for cars to ‘learn’ from each other, provide early warning of mechanical problems and remotely interact with other devices. They may also allow insurers to accurately build up a ‘risk profile’ for every driver, leading to reduced premiums for some. Connected cars may even allow car manufacturers to target customers individually with software updates to suit their individual tastes.

Yet these technological advances also bring fresh risks to road safety. Few people realise that fitting cars with internet connections effectively turns them into a ‘browser on wheels’. Without proper security measures this opens up the unwelcome prospect of connections being intercepted. If this were to happen it’s only a short step before malicious attackers start remotely modifying software inside vehicles.

Already teething problems with connected cars have made the headlines. Last year BMW’s failure to encrypt its Connected Drive system to a HTTPS standard left them vulnerable to ‘man-in-the-middle’ hack attacks. There is concern too that Ford’s plans to connect cars to home devices via Amazon Echo and Wink may make them vulnerable to malicious attacks via known vulnerabilities present in domestic smart devices like TVs and thermostats.

Of even greater concern is the fact that the digitally-controlled components inside vehicles are currently all networked together.  This effectively means that safety-critical features of the vehicle, such as the software that controls the airbags or engine management, are on the same network as the software that runs the in-car entertainment. In theory there is nothing to stop a hacker from accessing the entertainment system and jumping across to send malicious commands to the engine, brakes or steering.

Campaigners such as Senator Ed Markey in his detailed report into connected cars are starting to generate some awareness on this issue. However, since security is not yet written into the ISO 26262 industry standard governing automotive software design we cannot expect the security questions surrounding connected cars to be resolved any time soon.

In response some of the bigger manufacturers have resorted to asking the general public to be their test facility. GM, for example, has introduced a bug bounty program aimed at publicly crowd-sourcing the notification of vulnerabilities in the increasingly complex cyber-systems within its connected cars.

One sure fire way to make a connection secure is to use VPNs.  There are three areas to take into account when using VPNs for a connected car environment:

• Connections – decide whether the application requires on-demand or always-on access as well as command line or API control
• Authentication – secure authentication can be achieved by some form of software/hardware network certification
• Centralized Management – a central way to remotely configure any Internet-connected device to patch or update software, scale VPN connectivity and manage authentications

As vehicles become part of larger networks of interconnected devices, each with wildly varying levels of security, vehicle manufacturers run the risk of unwittingly exposing their latest models to a dizzying web of vulnerabilities. The only solution is for automotive manufacturers everywhere to work towards adopting a universal “gold standard” in software design that embraces security industry best practices worldwide.  In addition, they need to introduce secure connectivity, such as VPNs, as soon as possible to the entire automotive software supply chain and all the third-party applications and devices that seek to connect to their vehicles.