Not yet worried about vehicle hacking? You should be!

 

As a matter of fact, it is not only vehicles that can be hacked, actually any IoT device can be hacked.

AV-Test.org published this paper about vulnerabilities in the fitness wristbands and Apple Watch, which shows how they tested and how secure the devices are.

However, a hack of these IoT devices is not as dangerous as hacking a vehicle. I am not saying that they don’t matter, on the contrary.

This is why I am mostly interested in vehicles: hacking can be dangerous and it is, with manufacturer’s permission at least, to improve their security.

 

According to the RSA presentation from Kelly Blue Book, 62% of consumers are worried that cars will be easily hacked in the future. In their corresponding report “Braking the Connected Car: The Future of Vehicle Vulnerabilities,” one in three prospective car buyers say connectivity is a big factor in their decision.

Furthermore, they claim that 62% of consumers are worried that cars will be easily hacked in the future. And yet, 44% of consumers feel that the vehicle manufacturer is responsible for securing a vehicle from hacking. So much being personally accountable for our own security. This is actually no wonder – think of the computer industry. Despite the fact that security software has become a commodity (and it is free of charge), still unbelievable many don’t have one installed. Should the consumers expect the PC manufacturers to deliver the hardware with security software installed? Well, this is going to be discussed in another post.

blue-book-1

(Source: KBB.com, [1])

The global connected car market will be worth €39 billion in 2018 up from €13 billion in 2012, according to new forecasts from research firm SBD and the GSMA, which represents the interests of mobile operators worldwide. Over the next five years, there will be an almost sevenfold increase in the number of new cars equipped with factory-fitted mobile connectivity designed to meet demand among regulators and consumers for safety and security features, as well as infotainment and navigation services.

Even if we have today more than 50% of the cars not connected, there are and will be more and more solutions to connect them.

Mostly, they will be connected to the smartphone and using the smartphone they will have connectivity .

The most interesting thing is that consumers are willing to pay for anti-hacking software !

48% would pay about 8$/month for software and an amazing 56% would pay more than 9$/month for insurance to cover any losses incurred by vehicle hacking.

Wow… what a huge business opportunity! Even if the price for security would as low as 2$/month, there is still a huge opportunity!

The tricky part is that the majority of these consumers, 56%, expect the vehicle manufacturer (short: v.m.) to provide the offer this subscription. This means that the security companies have to work with the v.m. to provide security. And, since consumers are going to pay to the v.m. the subscription, all has to be provided as an OEM solution for the v.m.

With such an immense financial potential, also malware authors will take vehicles under consideration.

This is why I think that it is only a matter of time until we will see hacking, ransomware and even spam (advertisements, messages, etc.) sent to vehicles.

 

The common strategies used to attack IoT technologies are:

  • Weaknesses in authentication (Peer to Peer, Peer to Backend) – many still implement authentication and authorization in one step and they do it also wrong.
  • Practical cryptographic tampering – encryption is (still) seen in this field as the “solution to all problems” and this is why it is done quickly, just to gain more time. Unfortunately, it is very easy to do it wrong…
  • Gaps in endpoint integrity – the device works despite having been tampered with.
  • A lack of segmentation between critical and non-critical applications – if the infotainment system needs to display various information from the vehicle, it should have just these rights (read-only) and not more.
  • Flaws in software applications (most manufacturers have started recently to set up a Secure Software Development Lifecycle) – vulnerabilities, not enough testing, and many more points that are part of a Security Initiative
  • Business logic weaknesses – there has to be a clear definition of what an application does and what is not. Mixing many functionalities in one only makes the security elastic.

I will write a detailed post about how to address each of these topics and more.

 

To enable the market to achieve its full potential, the security, automotive and mobile industries need to work closely together to deliver secure, scalable, interoperable, ubiquitous and last but not least, user friendly connected experiences.

 

This post was also inspired from

  1. this presentation held by Karl Brauer and Akshay Anand, from Kelley Blue Book at the RSA Conference 2016.
  2. these presentations (1, 2) from GSMA.

 


© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch