Drivers can’t seem to get enough of the new features behind the wheel made possible by IoT.
After nearly reaching $16 billion in 2015, the automotive IoT market is expected to explode to $82 billion by 2022. But while innovative features — such as assisted parking and remote start — can enhance the customer experience, they also welcome increased risk.
Data that’s used to power connected cars can easily fall into the wrong hands, creating enormous safety and security threats. Researchers from Kaspersky Lab recently brought such concerns into focus when they were able to remotely control applications from some of the biggest car manufacturers. Given the absence of proper security measures, experts uncovered opportunities for hackers to unlock doors, turn off security alarms and even gain control over a vehicle.
In order to address these threats, it is critical for automotive manufacturers to implement the following security strategies into their automotive IoT ecosystems to stay one step ahead of hackers.
Almost 40 percent of new car buyers in Germany, Brazil, China and the U.S. are reluctant to use connected services in a car due to privacy concerns. Manufacturers looking to ease the anxiety of such consumers should start by assigning a unique identity to each electronic device. Whether it’s an infotainment or real-time navigation system, IoT-enabled features shouldn’t be able to assume control over a vehicle’s critical functions — such as braking or steering. Unique identities are one way to ensure non-critical systems do not become a gateway to the rest of the vehicle’s functions.
By making it possible for devices to identify and authenticate the source and destination of specific requests, these identities can remove some of the risk tied to connected cars. Commands that once originated from basic devices will no longer serve as a gateway to the most important components of a vehicle.
Take time to authorize
Most electronic components are awarded the luxury of dishing out orders without restrictions. But if manufacturers hope to ramp up vehicle safety, that needs to change — and fast. Instead of authorizing every device to send or respond to commands, manufacturers should take a component’s operating context into account.
Technologies like parallel park assist, for example, should not be able to send commands while a vehicle is moving at high speeds. Mechanical safety functions that are necessary during certain situations should be enabled only when specific criteria are met, limiting the ability each device has to affect the car incorrectly. As limits are imposed on a device’s authorization levels, reliable device-centric security will improve.
At the heart of every connected car is an Electronic Control Unit (ECU). By doling out commands and capturing sensor data, an ECU influences many different areas of a vehicle’s operation. To ensure their vehicles are safe from a potential attack, manufacturers should consider implementing code-signing. This cryptographic method can go a long way toward securing over-the-air (OTA) updates that are vital to the functionality of ECUs. Given that hackers may want to leverage an ECU to alter the way a car runs, such security measures are an important part of any automotive security strategy.
There’s been a lot of hype about the automotive IoT market in recent years — and for good reason. The industry’s rapid growth may help deliver capabilities drivers once only dreamed of. With such innovation, however, comes the need for equally impressive security standards. Long standing concerns over safety and security threaten to stop automotive IoT growth in its tracks. But by creating trusted identities or utilizing code-signing, manufacturers can alleviate consumer apprehension and establish trust along the way.
About the Author: Josh Jabs is the vice president in the office of the chief technology officer and is the general manager of IoT solutions at Entrust Datacard. He has more than 20 years of experience gauging the practical impact of changes in the technology ecosystem, most recently with the rise of the Internet of Things. Jabs also served as the vice president of PKI and IoT solutions and the vice president of global government solutions at Entrust Datacard prior to his current role.
Edited by Ken Briodagh