More security gaps plague connected cars
The connected car ecosystem is becoming a complex system-of-systems, leaving vehicles vulnerable to cyber attacks.
This is according to a recent report by the Cloud Security Alliance (CSA), which notes security must be considered and accounted for at all levels of the connected car.
In March, market research firm Research and Markets noted the overall connected car market registered a shipment of 5.1 million units in 2015 and is expected to reach 37.7 million units by 2022, at a CAGR of 35.54% between 2016 and 2022.
"In the near future, connected vehicles will operate in a complex ecosystem that connects not only vehicles between each other and the traffic infrastructure, but also with new forms of connectivity and relationships to cloud-based services, smart homes, and even smart cities," says Brian Russell, chairman of the CSA IOT Working Group.
"For a safe and secure transportation system, the community must take a fresh look at the larger picture, and develop the policies, designs and operations that incorporate security throughout the development."
CSA says automobile connectivity today is evolving on a number of fronts. Platforms designed in the pre-connected era are now being connected in multiple ways, it points out.
It adds this has led to the ability of security researchers to gain access to sensitive vehicles. Sensitive functions can be compromised via direct access, such as with USB and the on-board diagnostic (OBD-II) port, or by remote access such as infotainment consoles, Bluetooth, WiFi and cellular devices.
"There are a number of motivations for bad actors to compromise connected vehicle components and technologies, ranging from curious hackers attempting to demonstrate weaknesses, to malicious entities attempting to cause harm, on both small and large scales," says John Yeoh, senior research analyst at the CSA.
"Only through the thoughtful use of disruptive technologies such as big data, machine learning and artificial intelligence can we help build a better, safer and more secure connected vehicle ecosystem."
The CSA notes one of the primary internal communication mechanisms in vehicles is the controller area network (CAN) bus. It is used to support communications between electronic control units within the vehicle.
Yeoh says the CAN bus was designed as a closed network and, therefore, implements no security features such as message encryption or authentication. "An unauthorised party that gains access to the bus can block legitimate messages and transmit illegitimate ones. Both actions can cause unwanted effects within the vehicle."
Since 1996, CSA says automobile manufacturers have built in support for retrieval of diagnostic codes and other information from OBD-II ports. Although these ports typically provide read-only access to information needed to diagnose a problem with the vehicle, some manufacturers do allow commands to be sent over the CAN bus, though typically not for safety-critical functions.
"It is clear from this and other vehicle security research that enabling connectivity to the once-closed CAN bus can result in harmful effects if security engineering principles are not properly applied," Yeoh says.
According to CSA, one of the first stages of pervasive connectivity with vehicles has been through the infotainment system. Manufacturers include these systems to provide feature-rich services and content to their customers, it explains.
"Often these services are enabled through subscriptions. Researchers have shown it is possible to gain access to an infotainment system and use that access as a jumping-off point to more sensitive vehicle functions," Yeoh notes.
CSA is of the view that a connected vehicle's infotainment system is an easy target for exploitation due to the connectivity it requires from various Web services such as weather, traffic, streaming audio, etc. "All it takes is a single vulnerability, for example misconfigured server, unencrypted API call, for an attacker to exploit the rest of the system."
The report also notes door locks offer additional connectivity options by using protocols such as Bluetooth and near-field communication along with key fobs and even smartphone applications. There have been recent media reports on the vulnerabilities of the remote keyless entry, whereby a thief uses a device to "amplify" the signal generated by a keyless remote, or plants a device near the vehicle that intercepts the door-opening code for later playback when the owner of the vehicle is away, it adds.