Roughly a quarter billion connected cars will be on our roads by 2020. That’s only two years away and we’re well on our way with 21 million connected cars out there. Already so many of our cars have fascinating features that allow us to get live updates to sports games, traffic, and social media while we drive. Even communicating car to car isn’t out of the question. The innovation is endless and potential threats are… also endless.
We’ve seen attacks demonstrated by researchers and know they're possible. Yet, there still doesn’t seem to be a consensus in the industry for automotive security. What's it going to take to make connected cars more secure and the roads safer? After all, a connected car is another endpoint that must be secured. Is there an industry-wide solution that can be used? We think so.
To a regular user, there isn’t much thought about security when buying a new device or toy that connects to the internet. Instead, the focus is on making life easier and more convenient. Cars aren’t an exception. “The connected car is already the third-fastest growing technological device after phones and tablets,” according to McAfee.
However, automakers and security experts know that the dozens of onboard computers are like any other: they communicate with outside sources, contain lots of information, and could be large targets for an attack.
Connected cars (or really, the systems they connect to) are a data mine. For example, cars collect lots of specific data about you, like GPS coordinates and speed, giving automakers (and a potential attacker) access to personal information about your habits. Cars can now monitor parts for wear and tear, and give recommendations for maintenance.
Organizations are exposed. An attacker could use a vehicle as a back door into a business’ system, as businesses are partnering with automakers to provide entertainment or convenience services, like OnStar.
Automotive security bridges the gap between digital and physical; it's more than your data that’s at risk. A custom-built device is able to locate, unlock, and start cars remotely. In the worst case, attackers could physically control the car while it’s moving—TechCrunch dives deeper on the cybersecurity obstacles: “One of the central challenges in vehicle cybersecurity is that the various electrical components in a car (known as electronic control units, or ECUs) are connected via an internal network. Thus, if hackers manage to gain access to a vulnerable, peripheral ECU — like a car’s Bluetooth or infotainment system — they may be able to take control of safety-critical ECUs like its brakes or engine, wreaking havoc.”
Cybersecurity for cars isn’t an easy problem to solve because there are many moving parts, and it calls for a robust solution.
Fortunately, security is on the minds of many automakers. Ford, for example, says its doing several things to protect communications and drivers: the vehicle controls systems network is separated from the infotainment system, encryption is used to prevent updates to the software or access to data, and software updates have to be certified (“code signed”) by Ford in order for the system to update.
Code signing is an essential piece in the security solution puzzle for connected cars. It’s one that allows manufacturers, automakers, and businesses to certify that communication is coming from a trusted source. Code signing is a Public Key Infrastructure (PKI) technology—a network of encryption, authentication, and identity checks that factor nicely into a well-rounded security solution. The Web PKI—which uses SSL/TLS certificates to provide HTTPS on websites—is the most widely known PKI deployment.
Any PKI system has two main components: A Certificate Authority (CA) and certificates. The CA is centrally managed and issues certificates to individual users or computers. These certificates allow devices to be identified and communicate securely, preventing spoofing or on-the-wire tampering. Public-key cryptography is used to securely exchange encryption keys over the network which can be used to encrypt data, authenticate a device, and more.
PKI is a proven solution that’s been trusted for decades in other use cases—the web trust ecosystem is what it is because of PKI. Now PKI can be used by billions of devices and systems that connect to the internet. PKI provides encryption, authenticates users or devices, and certifies identity. It’s an incredibly adaptable technology that can be used in a number of ways with vehicles—code signing is one example, but PKI can also be used to allow individual vehicles (or even individual chips within a vehicle) to authenticate themselves, encrypt data sent between systems, and provide integrity checking. Certicom makes a great case for automotive PKI in this white paper.
Whether it’s a hacked Jeep or an app vulnerability, connected cars are failing to use encryption and authentication to protect drivers. Automotive PKI can prevent remote attacks, send security OTA updates, and protect communications. Learn more about PKI steps manufacturers and security teams can take today to secure connected cars.