Menu

SMART TRANSPORT FEATURE NEWS

The IoT Is in Your Car, and That Means We Need a Change

By Ken Briodagh July 23, 2015

Most of the world’s automakers are putting connective infotainment systems into at least some of their vehicles. These systems will put the IoT on wheels and in the hands of consumers on the go. Or will it?

The key element seemingly forgotten in the rush to connect the cars is security. The point was strikingly made in a recent Wired article by Andy Greenberg that outlined the results of a hacking experiment in which a pair of sophisticated crackers take control of the writer’s Jeep Cherokee to disengage the transmission while the vehicle was in motion on the interstate and cut the brakes, forcing the driver to put the SUV into a ditch. All wirelessly from a laptop miles away and using a simple exploit that only required the vehicle’s easily-obtained ISP for its cellular connection. Though this test used a Fiat/Chrysler, the article makes clear that there are dozens of similarly vulnerable vehicles from almost every major automaker.

Terrifying.

Meanwhile, new analysis from Frost & Sullivan indicates that the connected car industry is already chomping at the bit to implement 5G connectivity, which may or may not have similar vulnerabilities, but with higher rates of data exchange possible. The study, The Global Advent of 5G in Cars, says that 5G will act as an enabler for autonomous vehicles and will make the over-the-air updates viable, since level 3 or 4 automation requires a massive amount of data processing to occur in real time.

All that sounds excellent, but driverless cars with these vulnerabilities can, even more than a compromised car with a driver, become a weapon in the hands of a villain. The study goes on to say that Asian countries such as South Korea and Japan will be the market leaders in commercializing 5G, while the experts in the Wired article say that several Asian carmakers are among the most vulnerable. Not a good match.

Now, most cellular infotainment systems in cars are many-to-few systems that communicate directly with a central information source. Soon enough, however, the cloud will also become a factor, with its own complications. In fact, it might not be that long at all, judging by a recent release from Electric Cloud, an enterprise continuous delivery and DevOps automation provider, and Arynga, an intelligent vehicle software management solutions provider. The pair announced a product integration partnership that will help automotive manufacturers, OEMs and system integrators adopt DevOps automation and Continuous Delivery practices to bring IoT software systems to the connected car market quicker than ever.

“Today's software applications are being developed and deployed through Agile-based methods, and applications are being further accelerated via DevOps and Continuous Delivery practices,” said Walter Buga, CEO, Arynga. “Partnering with Electric Cloud will help our automotive customers adopt these practices and speed the deployment of updates and new features that are differentiating products in the marketplace.”

Image via Shutterstock

This new over-the-air updating solution is potentially a new point of entry for bad actors, but it is more important as an all-too-infrequent fix for security issues. If software hacks can be found and exploited over-the-air, then systems like this need to become standard for repairing those vulnerabilities.

“The automotive industry is leading much of the innovation around the IoT movement, and partnering with Arynga provides customers a comprehensive approach for building and deploying software to vehicles in the most efficient manner possible,” said Steve Brodie, CEO, Electric Cloud.

But, not everyone in the industry was as concerned with the results of the Jeep hack. Ron Montoya, senior consumer advice editor at Edmunds.com, told IoT Evolution that consumers really don’t need to be alarmed.

“Car owners might read about this hack and become understandably concerned, but they need to know that this is not an issue that should keep them up at night. This was an isolated hack that could only be performed on one specific vehicle and it was not something that could be replicated on a mass scale. Jeep Cherokee owners who are concerned that this can happen to their cars can go to a dealership to install a patch to address the vulnerability, or they can even do it themselves.”

Although he is technically correct that this was an isolated test, it was also a proof of concept, and the pair of hackers who did the job said they have a whole list of vehicles that are susceptible to similar attacks. They chose the Jeep, they said, because it was the most vulnerable. The real problem is that, as Montoya said and a statement from Chrysler affirmed, the fix has to be done at a dealer, and won’t be patched to all owners remotely. Perhaps not a big deal now, but as cars become more automated and connected, wireless patches need to become standard practice.

“This is a legitimate issue for automakers and they have been proactively addressing these security concerns ever since the first connected car was introduced,” Montoya said. “Automakers are notoriously competitive, but this is one area where manufacturers are working together to address these sorts of vulnerabilities. It's in the entire industry's best interest to make sure they are on top of this issue so that safety continues to be a top priority.”

There are rumblings of concern in Washington D.C., too. New legislation has been introduced by Senators Ed Markey of Massachusetts and Richard Blumenthal of Connecticut, that directs the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards for securing cars and protecting privacy. The “Security and Privacy in Your Car (SPY Car) Act” would also set up a rating system, to be known as the “cyber dashboard,” that will rate automakers’ security approaches above and beyond the minimum standards.

“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” said Blumenthal. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars. Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes. Security and safety need not be sacrificed for the convenience and promise of wireless progress.”

The likelihood of all connected vehicles ever being completely safe seems unlikely, but steps need to be taken to keep folks safe. One approach is to remove storage form the local car or truck and move it into a secure cloud, via the cellular system.

Dave Miller, an international security thought leader, subject matter expert on connected vehicles and CSO, Covisint thinks that’s the way to go.

“Because cars are left alone so often – you purposely leave your car places unattended at least 90 percent of the time — it’s impossible to secure the vehicle itself. The easiest way for an auto manufacturer to fulfill requirements of car data security is to never store any data in the car and never let the car be the decision maker about external commands,” he said. “Store vehicle data in the cloud where you can secure it and make decisions about external commands.”

Whether cars are completely hardened against attack (which makes them very expensive), or data is stored non-locally, (another point of vulnerability), an answer needs to be found before the public will ever accept a driverless IoT-powered automotive fleet.

For more about securing the IoT and connected transportation, register today for the IoT Evolution Expo, August 17 to 20 at Caesars Palace in Las Vegas. 




Edited by Dominick Sorrentino
SHARE THIS ARTICLE
Related Articles

IoT Time Podcast S.3 Ep.46 Applied DNA Sciences

By: Ken Briodagh    12/13/2018

On this episode of IoT Time Podcast, Ken Briodagh sits down with Judy Murrah, CIO, Applied DNA Sciences, to talk about DNA tags for asset tracking, fo…

Read More

AT&T and Cradlepoint Provide First Step toward 5G for First Responders and Businesses

By: Ken Briodagh    12/13/2018

Access to New Cradlepoint Routers Gives FirstNet and AT&T Users the Fastest Speeds Possible Today with an Upgradable Path to 5G in the Future

Read More

Asavie Joins MaaS360 Community on IBM Security App Exchange

By: Ken Briodagh    12/10/2018

Asavie, a provider of secure Enterprise Mobility and IoT Connectivity solutions, announced recently that it has joined IBM's MaaS360 App Exchange ecos…

Read More

Orion Labs' Push-to-Talk Application Is Now FirstNet Certified

By: Ken Briodagh    12/7/2018

First responders and eligible public safety organizations can communicate in real-time to stay connected and better protect their communities

Read More

Kiho Produces AI-based Driver's Log in Finland

By: Ken Briodagh    12/3/2018

Finnish technology company Kiho reportedly has developed an AI-based driver's log, which learns to distinguish between the driver's working time drivi…

Read More