The Internet of Things continues to gain popularity with consumers, and the automobile industry has taken notice....
Auto makers continue to fine-tune wireless technology that provides Internet connection to help conduct business on the go, as well as features to benefit the driver such as notification of potential safety hazards and pending crashes. Car owners can also download smartphone apps to remotely unlock their cars, check its engine status or find its location.
But along with these technological advantages, connected vehicles also come with the same cybersecurity vulnerabilities as any other IoT device, said Daniel Allen, a research fellow at the Center for Climate Change and Security. Allen is also a U.S. Army/Desert Storm veteran, and was recently announced as a finalist in the 2016 Entrepreneurs' Organization-Houston Veterans Business Battle for his proposal to develop an online education center specializing in the cybersecurity of connected vehicle technology. In this Q&A, Allen discusses connected vehicles' cybersecurity vulnerabilities and how regulations such as the SPY Car Act are being designed to protect consumer data.
What are some of the cybersecurity risks facing consumers and automakers as connected, IoT-type technology is increasingly implemented in automobiles?
Daniel Allen: Connected vehicle technology potentially increases driving safety and efficiency through its ability to communicate with the Internet and other automobiles. But this connectivity, or interconnectedness, also exposes vehicles and the people inside of them to serious risks from cyberthreats. These vehicles are designed as the ultimate mobile, Internet connected device or Hot Spot, like a portable wireless LAN that provides Internet connection access from any location. The cyber risks that consumers and automakers face stem from weakened basic cybersecurity fundamentals of confidentiality, integrity and authentication, or CIA.
Daniel Allenresearch fellow, the Center for Climate Change and Security
As vehicles become more connected, more autonomous and become part of the Internet of Things, this ability to communicate with other vehicles and infrastructure through wireless networks increase the threat of cyberattacks. This increases safety and security risks of the individuals within the vehicle. Simply put, today's connected vehicles have morphed into computers that you can drive around in, and they are susceptible to many of the same cybersecurity risks as desktop or laptop computers.
The vulnerability of automotive systems to hacking was demonstrated by cybersecurity researchers Charlie Miller and Chris Valasek in 2013, when they managed to take control of several functions of a Toyota Prius. In 2015, they remotely hacked a Jeep Cherokee from 10 miles away through its Uconnect feature. They were able to change its speed and control its brakes, radio, windshield wipers, transmission, and other features. This demonstration was a wake-up call for the industry: 1.4 million cars were recalled for software updates, and an estimated 471,000 vehicles were vulnerable.
What are some potential compliance measures being proposed as a result of the cybersecurity risks of connected vehicles technology?
Allen: Automotive vulnerabilities to cyberattacks are now at an all-time high, which prompted the government to take direct action. On July 21, legislators introduced first-of-its-kind legislation: the Security and Privacy in Your Car Act. The legislation directs the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal security and privacy standards for today's connected cars.
The compliance measures outlined in the SPY Car Act address the convergence between automotive technology and computer technology. Automobiles are quickly becoming the ultimate mobile device with different computer connections being implemented into vehicles, including telematics systems, sensors, Bluetooth, and 802.11 IEEE wireless LAN standards.
Do you think these standards would help protect consumers with connected automobiles?
Allen: The resulting standards should provide effective protection for consumers with connected automobiles if they are similar to the cybersecurity compliance standards that were created for other sectors of our nation's critical infrastructure. It is important to note that industrial control and SCADA systems share important similarities with the automobile industry: Both are industries that have been around a long time but have not been successfully targeted by unethical hackers.
This has led to a weak cybersecurity strategy with little or no defensive security prerequisites, which makes them more vulnerable to exploits. Also, both industries have yearlong product development cycles so by the time the product enters the market the mitigations to the known security threats become inconsequential when new cyberthreats surface. The Stuxnet worm was an example of how industrial control systems could be compromised due to their inherent lack of defensive security and long product cycle developments.