Dell_20181213

Santosh Jinugu
Director
Deloitte India

Security, Privacy And Safety Concerns In Connected Cars

In today’s world, staying connected is as important as the air that you breathe. A human’s need to stay connected transcends all boundaries, especially when he’s on the move. As part of a new era of technological advancement, Internet of Things (IoT) is leading the auto industry from thinking about moving people from point A to point B, but instead, we need to re-imagine the way the world would like to move. Additionally, customers these days expect a flexible and customised experience from a car service provider. Cars or mobility vehicles are increasingly adopting innovations that enable increased connectivity. Some of these are; smartphones remotely controlling vehicles, unlocking and checking parameters, voice-based entertainment, climate and navigation systems and vehicles sharing information with others systems or vehicles.

What if a self-driving car faces a moral dilemma; whether to save a car with two passengers or another one with four passengers? What if an attacker takes control of a moving vehicle and causes it to crash on a busy highway? What if an external user gains access to a car’s control unit remotely and manipulates signals, resulting in errors and ultimately vehicular collisions? What if the anonymous data collected or shared by vehicles gets accessed by digital thieves, who use AI and big data analytics to reveal specific individual user information? Such connected cars and their associated ecosystems give rise to an undesired complimentary chain of nexus threats. Hence, it is mandatory that the OEMs of such vehicles also take into account risks related to security, privacy and safety when designing the vehicles.

Let’s take a look at the various risks and their drastic impacts.

The rise of automated controls in vehicles is overwhelming. Modern day vehicles have more software vulnerabilities than before, which can be easily hacked or exploited, resulting in something as trivial as harmless mischief or something as serious as death. A couple of years ago, security researchers found a flaw in an OEM-provided application that could potentially operate any function, including draining the electric vehicle’s battery.

This shocking flaw highlights the need of a unique identification protocol and ‘secure-by-design’ principle which needs to be applied throughout the development lifecycle. This will lead to security of the vehicle software and ensure that its ecosystem system is not compromised. Very recently, a couple of security researchers were able to exploit the internal browser bug of an all-electric vehicle and render it on the dashboard display, making it redundant.

With a new generation of consumers, there is a growing demand for connected autonomous vehicles, which delivers a significant amount of benefits and convenience. The sensors and devices in these vehicles collect and share a great deal of data to interact with their surrounding environment, that can be broadly termed as V2X (‘Vehicle to Everything’). This opens a wide array of attack vectors like vehicle identification information, vehicle locator, feel health monitoring etc. as not all data that is collected is anonymised. The data stored or in-transit is ideally not encrypted to avoid latency issues. These attack surfaces can easily be taken advantage of by malicious users to gather personal information associated with vehicles.  To avoid this, auto manufacturers should start implementing privacy by design principles in the development life cycle and implement procedures such as encryption at rest/ transit, factory resets or data erasure procedures.

Last but not the least, the safety of the people should not be compromised due to unsecure vehicle ecosystems. One such case was reported when an auto manufacturer issued a safety recall affecting 1.4 million vehicles in the US, after security researchers showed that one of its cars could be remotely accessed and made to change course and make it fall in a pit. It was demonstrated that hackers controlled the vehicle remotely, using the car’s entertainment system, which connected to the mobile data network.3 Such flaws, if exploited in real time, could prove fatal to so many users and lead to irreparable damage. These vulnerabilities highlight the need to have a segregation of internet-connected systems from critical driving systems and thereby implementing safety at a design level.

The Way Forward

With no clear standards and / or policies or guidelines mandating the security of sensors, components and the whole vehicle ecosystem interacting with each other, there is a high chance that someone may misuse it, unless some key steps are taken to counteract it.

Auto industries, service providers, component manufacturing and technological companies should work together in making sure security, privacy and safety is embedded at the design stage and not as some afterthought. Some of the risks highlighted have been confronted earlier, and dealt with the basics that should have been proactively implemented by the businesses going forward.

Share this:

Stay Updated on Enterprise Network and Carriers Industry.
Receive our Daily Newsletter.