Smart Cars are in the Slow Lane When it Comes to Security Standards
October 06, 2020
With connected cars still seen as a relatively new innovation in the context of regulatory timelines, the industry is lacking security standards and safety certifications as a result.
Is your car a connected car? I don’t mean, “is it capable of communicating directly with other vehicles?” I mean, “does it connect to the Internet in some way?”
Increasingly, the answer is “probably.” An article from Car and Driver that outlines a surprising number of 2020 vehicle makes and models come with a Wi-Fi hotspot as standard, and a surprising number of economy cars ranging from the Chevy Cruz to the Dodge Dart to the Ford Escape are rolling IP addresses as soon as they leave the factory.
We’re all aware of hackers who attempt to gain access to private information on the internet, but most of us don’t think twice about just how dangerous a cybersecurity threat can be in the context of a vehicle. Many of the possibilities are outlined in the popular 2015 “Jeep Hack” article on Wired. Still a consumer – and industry – knowledge gap still exists between cybersecurity for your PC and cybersecurity for your SUV.
But why should consumers be expected to understand, or even ensure, connected vehicle security, even if it is their own car? They aren’t expected to understand anti-lock brakes, airbags, or power steering – someone else understands it for them.
What Consumers Shouldn’t Know About Automotive Cybersecurity
The ioXt Alliance (The Internet of Secure Things Alliance) is a global standards body that develops security best practices for all manner of ordinary devices that are now being connected. The organization’s membership encompasses OEMs, network operators, technology ecosystems such as Google Assistant and/or Amazon Alexa, and even retailers, who jointly provide consumer cybersecurity in sectors such as smart homes, smart buildings, commercial IoT, cellular IoT, and connected cars.
According to Brad Ree, CTO of the ioXt Alliance, the most common automotive cyberattacks leverage wireless connectivity and/or cloud infrastructure to exploit vehicles, such as the denial of service (DoS) attacks that recently targeted on of Tesla's Model 3s via a web browser – this DoS exploit was able to disable features such as vehicle navigation, cluster, turn signals, autopilot notification, and more.
Other security vulnerabilities Ree mentions occur when newer communications technologies are layered on top of legacy automotive networks like the CAN bus, and inadvertently expose sensitive devices and channels to non-trusted data sources. Key fobs also present risks, as hackers can use a combination of signal repeaters and amplifiers to “trick” vehicles into providing access as they would if the physical key fob were close by.
The role of the ioXt Alliance is to understand what secure products, like a secure connected car, would look like in the real world, then develop security programs and best practices around its core principles .
Fig1. A cloud connected cyberattack via ioXt Alliance's threat analysis method.
“All of our standards are based on threat models,” Ree says. “We look at devices and products and we build out a threat model for each [type of] attack at each portion of the lifecycle, ranging from the factory, through provisioning and operation, all the way to being discarded and disabled.”
Why Industry Needs Third-Party Security Standards
Unfortunately, because connected cars are still a relatively new innovation in the context of regulatory timelines, security standards and safety certifications pertaining to these types of vehicles are still lacking throughout the industry. An example of this is California’s SB 327 bill, which when passed only included provisions to prevent the use of fixed passwords and the implementation of “reasonable” security.
Initiatives like SB 327 are complicated even further by the fact that both states and the federal government are attempting to implement their own regulations, while multiple different national standards like the Cyber Shield Act and the IoT Improvement Act are both potentially applicable to connected cars but neither takes precedent over the other.
Fig2. Breakdown of U.S. state and government regulations for connected vehicles.
Without set security standards in place and vague direction like “reasonable” security, auto manufacturers and Tier 1s are left without any guiding security principles in the development of connected vehicles. The situation is untenable in layered automotive supply chains that incorporate different chips and code bases, particularly given that lines between competitors and suppliers are often blurred, which can stall the advancement of secure technology architectures in the absence of an independent, governing third-party.
By taking best practices and security principles from organizations such as Amazon, Arm, Google, Legrand, NXP, TUV SUD/Rheinland, and others, the ioXt Alliance can develop security standards that not only span the entire automotive IoT technology stack, but transcend verticals to address cross-functional use cases such as smart home-to-connected car communications.
Abstracting Away Fear for Greater Connected Device Adoption
Of course, many of these automotive attack vectors have resulted from the desire to add more convenience and accessibility for consumers. Here, the balance between new features and robust security is key.
As an industry organization, the ioXt Alliance is focused on enabling innovation within a secure framework, while also preventing the topic of automotive cybersecurity from reaching the public eye in a negative way.
The ultimate goal is “to raise the security level of these devices while being transparent with the consumer so they know what they’re getting, and ultimately grow adoption of connected devices,” Ree adds.