How to avoid cyber-attacks to connected vehicles?

In early January the World Economic Forum in Davos announced the most serious global risks of 2018. The four risks they listed were extreme weather events, natural disasters, environmental degradation, and cyber-attacks. These attacks cause the most anxiety for entrepreneurs in developed countries. The anxiety surrounding cyber-security is based on people’s reliance on digital technology. By 2020 experts expect humans to be using 20 billion connected devices, which will doubtlessly create more opportunities for cyber-attacks.

Cars stopped being physically dependent on means of communication and networks at the end of the 20th century, and as the capabilities of so-called connected cars have increased, so has the potential for cyber-attacks. Today questions of IT development cannot be discussed without taking this problem into account.

Just as the internet changed the way we use computers, connectivity is changing the automobile and the driving environment as a whole. When personal computers were just starting to enter our lives, malicious programs represented a fundamental information security issue. A computer virus could lead to the corruption of data or sometimes even damage the computer itself. No one even considered that they could be used to steal data or use hardware improperly. Communications channels were very slow, and connecting to the internet or other networks was something only the “chosen few” could do. In those days the most frightening thing that could happen was that your computer might be damaged, in which case you would have to buy a new one. But as soon as the internet became available and the cost of hardware went down, things changed. Needless to say, viruses are still a very unpleasant event, but now we aren’t afraid of having to buy a new computer, but rather of losing our data or experiencing damage to the functionality of critical systems on which our lives depend.

The same thing is happening to vehicles right now. A car owner’s primary concern used to be holding onto the car itself — no one wants to look out the window and see that a recently-purchase vehicle has gone missing. But once cars started being connected to the internet, everything changed, and a number of additional threats appeared that are no less significant than theft.

The primary and most serious threat in the event of a cyber-attack is the danger to the driver’s life. In 2015 Chrysler recalled 1.4 million cars after a couple of hackers demonstrated to the magazine WIRED that they could control a Jeep’s system remotely over the internet. The hackers were able to turn the air conditioning and stereo on and off, disable the brakes, and interfere with steering while the car was being driven. In 2016 and 2017 Tesla vehicles were subject to attack. Security researchers from Keen Security Lab demonstrated an attack against a Tesla Model S. They were able to activate the brakes, open the doors, and flatten the mirrors from over twelve miles away. Later, one of the hackers hacked into the control system for the power supply of a Tesla Model S P85 and modified it, installing the autopilot and other software from dual-motor Tesla vehicles on its hardware. A hacked car could pose a serious risk to its owner’s health. Fortunately, the hackers’ frightening experiments are now helping car manufacturers and developers of connected car systems enhance the security of the products they launch.

The second threat is to data. In November 2017 Uber reported the theft of data belonging to 57 million of their users. The hackers stole the names, email addresses, and phone numbers of 50 million Uber passengers from all over the world. The hackers also gained access to the personal information of seven million drivers, including approximately 600,000 US driver’s license numbers. Trip history and vehicle usage, personal and statistical data — anything could be the target of an attack.

How do you feel about your data being stolen? Our cars have been our second offices for a long time now. People hold business meetings in their car over the loudspeaker without taking their hands off the wheel. They discuss life plans and talk to their children. Are you ready to share this information with the world? A hacker who connects to a vehicle’s system can gain remote access to everything that happens inside of it without physically breaking into it. The larger your business, the more frightening the prospect of the theft of company and personal information becomes. The car itself becomes less valuable than the information that can be extracted from it. And so auto theft, a crime against which most people are insured (and the first risk we listed), now represents a smaller loss than any other potential occurrences.

It goes without saying that, in order to avoid these threats, manufacturers of cars and car equipment need to develop secure systems. In the case of major consortiums, it will be necessary to publish standards and define requirements: OEMs need to agree upon requirements and release innovative new systems to prevent potential cyber-attacks. During development it will be important to focus on the technological, process-oriented component after checking to ensure that development and testing environments are organized and dealing with issues pertaining to product transport, security code storage location, and requirements that ensure the safety of that code.

For now, let’s return to the topic of personal computers. Right now we see that many high-quality security systems are being produced that make it possible to erect serious means of protection, but user behavior is not changing. And right now the weakest link in the world of information security is people. Unfortunately, we frequently focus on hardware and forget about people. You can install a sturdy iron door, but if your little son or elderly mother opens it every time someone comes knocking, how much does it enhance your security?

Vehicle security needs to be on a high level, but countermeasures must also be taken by users. The easiest car to steal is one without an alarm. The same goes for cyber-attacks. If a driver with an application connected to their car doesn’t follow safety rules — their phone or service isn’t password-protected, the identification method they use is too simple, or they don’t shut their Bluetooth headset off in the car — this could lead to certain problems.

At Bright Box we recognize the importance of security for end users and have extensive expertise providing Connected Car Security, so we have decided to launch a brief online course entitled “Cyber-Security for Drivers” containing practical advice.

The course will teach you how to protect yourself and your vehicle from criminals using modern technology, what you should be aware of, and which rules you should follow in order to prevent yourself from falling victim to any of the threats described in this article. The course will only take ten minutes. At the end you can take a test and get a certificate attesting to the successful completion of the course.

If you’re interested, could you please tell your friends or customers about this course. Many thanks!