This blog was written by an independent guest blogger.
To those who pay attention to such things, it seems like a new vulnerability in smart car systems is found every week. In 2020, the numbers beat all previous years. The inescapable conclusion is that smart cars are now among the favorite targets of hackers and APT (Advanced Persistent Threat) actors.
One of the main reasons for this is the sheer number of different systems that the average connected car contains today. Quite apart from advanced features like autonomous driving and automatic braking, even less expensive cars now offer extensive Bluetooth and WiFi connectivity.
As we’ll explore in this article, this makes securing these cars against cyberattack almost impossible for human analysts. Instead, we should think more seriously about turning to automated systems – and soon – in order to make sure that our smart vehicles are safe as they can be.
Connectivity vs. Security
Connected vehicles pose something of a unique challenge for cybersecurity engineers. This is because the way in which these vehicles are designed and built, as well as how they interact with the real world that you and I inhabit, is quite different from the average mainframe.
In most cases, for instance, the connectivity offered by smart vehicles is often designed by automotive product designers, or at very best UI designers, who have little understanding of the way that their desired level of connectivity will affect security. In other words, smart cars are generally keen to connect to any other device that comes within range – whether this be a smartphone, pen drive, set of headphones, or Wifi router – and often does so in a highly insecure manner.
This gives rise to a number of consequences: some obvious, some less so. One is that the long-running debate about whether vulnerability scanning vs. pen testing has been resolved, at least as it relates to smart vehicles. They are incredibly easy to penetrate, and so scanning for vulnerabilities becomes the only practical way to protect them. Even insurance companies have been forced to become at least somewhat knowledgeable when it comes to pricing out their service. In short, it now costs more to cover tricked-out supercars loaded with the latest in technology. More connected systems means there is greater opportunity for hackers to execute a successful cyber-carjacking.
The supply chain
Unfortunately for the network engineers attempting to protect smart vehicles, it gets worse. Not only are connected cars keen to connect to everything without performing any due diligence, but the sheer number of different manufacturers that contribute to a finished vehicle makes the idea of standardizing security almost impossible.
In the trade, this issue is known as the “supply chain problem,” and is a real headache for engineers. In practice, it goes something like this. They could spend time researching which auto manufacturer has the largest market share for connected cars and try to build systems that would isolate, say, the Bluetooth connectivity that turns the car on and off. But just as they manage to achieve this, their product manager could quite easily swap suppliers for the Bluetooth aerials and render the whole process obsolete.
And then, unbelievably, it gets even worse again. Because it’s not just a vehicle itself that is at risk if a hack is successful. Today, consumers are likely to have their car connected to their smartphone, smart home, or smart toaster. This gives unprecedented opportunities for hackers to achieve what is known as “lateral movement” – using access to a smart heating system, for instance, to gain access to a smart car, and then using this access to get into your emails, then your online banking.
This type of threat is still regarded as a relatively niche area of criminal interest, but the risks are very real. We’re still not very good in general at physically protecting our stuff, and in a country in which a property crime occurs every 3.9 seconds, we shouldn’t let our desire for smart homes undermine the most important function of our houses – to keep our stuff safe.
We can easily transfer that thought process to automobiles.
It might seem like the task of protecting smart vehicles (largely from themselves) is impossible. But there is an emerging solution that might offer a way out. Automated Vulnerability Scanning (AVS), as the approach is known, is a relatively new way of protecting devices and systems against the kind of wide-spectrum threats faced by connected vehicles.
AVS takes a slightly unconventional approach to cybersecurity, at least to those of us raised in an era in which access controls and encryption were the most important elements of a cybersecurity strategy. With AVS, it is assumed that all systems – from a smart heating program to a car’s internal cumbustion system – will face cyberthreats from time to time. It is further assumed that a human, no matter how smart and dedicated, will find it impossible to stay on top of these.
Therefore, threat detection is automated through the process of vulnerability scanning. This can incorporate a wide variety of individual tasks, from automated reading of threat bulletins through to AI-enhanced analysis of user data in order to detect intrusion. What all of these systems share, though, is a concern to wrap a heterogeneous system like a smart car in a homogenous security shield which obviates the differences between the individual components.
Of course, we are still at the beginning of this journey, and the future of cybersecurity for connected vehicles is difficult to see, even for those deeply embedded in the industry. Nonetheless, it’s already apparent that automated vulnerability management, which was up until now something of a solution looking for a problem, might finally find it’s most natural niche in smart, connected vehicles.
And if it does, perhaps the weekly round-up of connected vehicle vulnerabilities will slow down a little.