The IoT Is in Your Car, and That Means We Need a Change

By Ken Briodagh July 23, 2015

Most of the world’s automakers are putting connective infotainment systems into at least some of their vehicles. These systems will put the IoT on wheels and in the hands of consumers on the go. Or will it?

The key element seemingly forgotten in the rush to connect the cars is security. The point was strikingly made in a recent Wired article by Andy Greenberg that outlined the results of a hacking experiment in which a pair of sophisticated crackers take control of the writer’s Jeep Cherokee to disengage the transmission while the vehicle was in motion on the interstate and cut the brakes, forcing the driver to put the SUV into a ditch. All wirelessly from a laptop miles away and using a simple exploit that only required the vehicle’s easily-obtained ISP for its cellular connection. Though this test used a Fiat/Chrysler, the article makes clear that there are dozens of similarly vulnerable vehicles from almost every major automaker.


Meanwhile, new analysis from Frost & Sullivan indicates that the connected car industry is already chomping at the bit to implement 5G connectivity, which may or may not have similar vulnerabilities, but with higher rates of data exchange possible. The study, The Global Advent of 5G in Cars, says that 5G will act as an enabler for autonomous vehicles and will make the over-the-air updates viable, since level 3 or 4 automation requires a massive amount of data processing to occur in real time.

All that sounds excellent, but driverless cars with these vulnerabilities can, even more than a compromised car with a driver, become a weapon in the hands of a villain. The study goes on to say that Asian countries such as South Korea and Japan will be the market leaders in commercializing 5G, while the experts in the Wired article say that several Asian carmakers are among the most vulnerable. Not a good match.

Now, most cellular infotainment systems in cars are many-to-few systems that communicate directly with a central information source. Soon enough, however, the cloud will also become a factor, with its own complications. In fact, it might not be that long at all, judging by a recent release from Electric Cloud, an enterprise continuous delivery and DevOps automation provider, and Arynga, an intelligent vehicle software management solutions provider. The pair announced a product integration partnership that will help automotive manufacturers, OEMs and system integrators adopt DevOps automation and Continuous Delivery practices to bring IoT software systems to the connected car market quicker than ever.

“Today's software applications are being developed and deployed through Agile-based methods, and applications are being further accelerated via DevOps and Continuous Delivery practices,” said Walter Buga, CEO, Arynga. “Partnering with Electric Cloud will help our automotive customers adopt these practices and speed the deployment of updates and new features that are differentiating products in the marketplace.”

Image via Shutterstock

This new over-the-air updating solution is potentially a new point of entry for bad actors, but it is more important as an all-too-infrequent fix for security issues. If software hacks can be found and exploited over-the-air, then systems like this need to become standard for repairing those vulnerabilities.

“The automotive industry is leading much of the innovation around the IoT movement, and partnering with Arynga provides customers a comprehensive approach for building and deploying software to vehicles in the most efficient manner possible,” said Steve Brodie, CEO, Electric Cloud.

But, not everyone in the industry was as concerned with the results of the Jeep hack. Ron Montoya, senior consumer advice editor at, told IoT Evolution that consumers really don’t need to be alarmed.

“Car owners might read about this hack and become understandably concerned, but they need to know that this is not an issue that should keep them up at night. This was an isolated hack that could only be performed on one specific vehicle and it was not something that could be replicated on a mass scale. Jeep Cherokee owners who are concerned that this can happen to their cars can go to a dealership to install a patch to address the vulnerability, or they can even do it themselves.”

Although he is technically correct that this was an isolated test, it was also a proof of concept, and the pair of hackers who did the job said they have a whole list of vehicles that are susceptible to similar attacks. They chose the Jeep, they said, because it was the most vulnerable. The real problem is that, as Montoya said and a statement from Chrysler affirmed, the fix has to be done at a dealer, and won’t be patched to all owners remotely. Perhaps not a big deal now, but as cars become more automated and connected, wireless patches need to become standard practice.

“This is a legitimate issue for automakers and they have been proactively addressing these security concerns ever since the first connected car was introduced,” Montoya said. “Automakers are notoriously competitive, but this is one area where manufacturers are working together to address these sorts of vulnerabilities. It's in the entire industry's best interest to make sure they are on top of this issue so that safety continues to be a top priority.”

There are rumblings of concern in Washington D.C., too. New legislation has been introduced by Senators Ed Markey of Massachusetts and Richard Blumenthal of Connecticut, that directs the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards for securing cars and protecting privacy. The “Security and Privacy in Your Car (SPY Car) Act” would also set up a rating system, to be known as the “cyber dashboard,” that will rate automakers’ security approaches above and beyond the minimum standards.

“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” said Blumenthal. “This common-sense legislation protects the public against cybercriminals who exploit exciting advances in technology like self-driving and wireless connected cars. Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes. Security and safety need not be sacrificed for the convenience and promise of wireless progress.”

The likelihood of all connected vehicles ever being completely safe seems unlikely, but steps need to be taken to keep folks safe. One approach is to remove storage form the local car or truck and move it into a secure cloud, via the cellular system.

Dave Miller, an international security thought leader, subject matter expert on connected vehicles and CSO, Covisint thinks that’s the way to go.

“Because cars are left alone so often – you purposely leave your car places unattended at least 90 percent of the time — it’s impossible to secure the vehicle itself. The easiest way for an auto manufacturer to fulfill requirements of car data security is to never store any data in the car and never let the car be the decision maker about external commands,” he said. “Store vehicle data in the cloud where you can secure it and make decisions about external commands.”

Whether cars are completely hardened against attack (which makes them very expensive), or data is stored non-locally, (another point of vulnerability), an answer needs to be found before the public will ever accept a driverless IoT-powered automotive fleet.

For more about securing the IoT and connected transportation, register today for the IoT Evolution Expo, August 17 to 20 at Caesars Palace in Las Vegas. 

Edited by Dominick Sorrentino
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
Related Articles

Zipline Announces 'Zip' Drones for Precise, Autonomous Deliveries

By: Alex Passett    3/31/2023

Zipline's "Zip" delivery drones are next-gen, virtually silent machines that are expected to deliver up to seven times faster than traditional automob…

Read More

Modeshift Partners with LTCA for Smart Ticketing

By: Stefania Viscusi    11/17/2022

Modeshift's smart transit solution has been adopted by Luzerne County Transportation Authority (LCTA) in the Wilkes-Barre, PA.

Read More

Video-Based Safety and AI Technology Can Reduce Truck Accidents

By: Tracey E. Schelmetic    11/15/2022

IoT solutions with video-based safety and AI technology can help reduce the likelihood of accidents by identifying distracted and aggressive driving.

Read More

Upward Mobility: Urban Movement Labs Joins Smart City Venture Studios as New Agency Partner

By: Matthew Vulpis    2/24/2022

The technology developed to create "smart cities" can make communities more effective and efficient in the use of resources, a necessity given the pro…

Read More

Up, Up, and Away - With Your IoT Data?

By: Special Guest    2/4/2021

Times have changed in the amazing world of the Internet of things (IoT). What once was a new and compelling idea has quickly worked its way into the h…

Read More