Vehicles are quickly evolving from being a simple way of transport to become a highly-computerized mobile hub. Modern cars and trucks are gradually turning into computers-on-wheels by plugging-in to the Internet to offer efficiency, comfort, and convenience, together with security and safety.
The Securing Connected and Autonomous Cars for a Smarter World report from the global business consulting firm Frost & Sullivan estimated new vehicles have about 100 Electronic Control Units (ECUs) and more than 100 million lines of code —providing a large attack surface ready to be automotive connectivity threats. Hackers can gain access to any vulnerable peripheral ECU (like Bluetooth) to control critical core ECUs (like engine or brakes).
Connected Vehicles are no different from other nodes on the Internet of Things (IoT), their systems are as vulnerable as any other connected devices and face the same cybersecurity threats and massive potential of being attacked. Critical concerns about cars and trucks becoming more connected are the vehicle itself posing risks and attackers discovering (and then exploiting) vulnerabilities. Considering the attacks are becoming more targeted and sophisticated each time, a single hack on a connected vehicle puts an entire fleet of cars and trucks at risk.
Ethical hackers have performed most of the reported attacks on connected cars. The most famous hack is the one to a Jeep Cherokee through a vulnerability on an entertainment ECU, resulting in Chrysler recalling 1.4 million vehicles due they all were using the same system. Others notorious attacks are the recent vulnerabilities found on Tesla cars, hacked twice by the Keen Security Labs —the same team then reported multiple vulnerabilities in BMW vehicles. The more connected cars and trucks are, the more exploitable they are... and the more lucrative targets they become for both ethical and non-ethical hackers.
Carmakers are currently not only concerned about the risks of car hacks but the cybersecurity on mass fleets. Considering those companies are manufacturers and not software developers (embedding several systems within the vehicle from multiple vendors), carmakers are doing extensive efforts to have the technology inside of the vehicles protected and solve the connectivity threats. The current struggle is that cars and trucks manufacturers are reactively testing vehicle systems after the cars have been designed and most of the times driving on the streets —fixing the issue until the next generation by bringing teams to come in and tear apart the systems to find vulnerabilities and isolating the entry areas from attackers. Companies know the urge of flipping this process, but changing it is a challenging problem. Therefore, they are focusing on encourage developers to code better, looking more carefully for security vulnerabilities in their code.
Several carmakers are also working directly on the servers and data centers side, trying to develop solutions to avoid connectivity threats and ensure vehicle cybersecurity. Even when vehicles made on the same production line must have the same standardized software from the factory, the reality is many data center servers deploy different software versions —and sometimes system admins also deploy them differently. Carmakers are hardening the controllers and interfaces that might be hacked, wanting to be the only entity able to make changes and update the software; if attackers are trying to exploit a bug for controlling the behavior of a system (like a change in a runtime), the hack gets blocked. Engineers aim to prevent it, once they identify the attempt of exploitation from a hacker.
The transportation industry still has a long way to go; both carmakers and companies working on automotive cybersecurity are investing in research and developing strategies for solving automotive connectivity threats.