sb-as logo
Story image

The evolution of connected vehicles: Security critical when lives are at stake

30 May 2017

The Cloud Security Alliance is taking a close look at connected car security and how it unfolds in the future, covering everything from design to possible ways attackers can take control.

The CSA released its first research report on the topic this month, titled Observations and Recommendations on Connected Vehicle Security, provides in-depth details about vehicle security connectivity design, possible attack vectors of concern and recommendations about how to better secure the environment.

The ultimate goal is to create a vehicle security design that can be flexible in adapting to future challenges and cognisant of unanticipated threats that disruptive technologies they bring.

“In the near future, connected vehicles will operate in a complex ecosystem that connecting vehicles not only with each other and the traffic infrastructure, but also with new forms of connectivity and relationships to cloud-based services, smart homes, and even smart cites,” comments Brian Russell, chair of the CSA IoT Working Group.

He believes that for a secure and safe system, policies, designs and operations that incorporate security must be implemented in the development stages.

Preventing systems from possible attack vectors must also be front of mind - the report proposed 20 different attack vectors and what could happen in each case.

Those attack vectors include monitoring the vehicle's messaging traffic, which could result in unauthorised tracking, reverse engineering firmware to hijack the safety-critical operations, and infecting it with malware to disable the vehicle entirely.

The report cites cases in which Fiat Chrysler recalled 1.4 million cars and trucks after hackers were able to remotely disrupt a Jeep Cherokee. In another attack, researchers managed to control a Tesla Model S car and turn it off at low speed. Tesla has fixed the issue.

“There are a number of motivations for bad actors to compromise connected vehicle components and technologies, ranging from curious hackers attempting to demonstrate weaknesses, to malicious entities attempting to cause harm, on both small and large scales,” explains John Yeoh, senior research analyst at the CSA.

“Only through the thoughtful use of disruptive technologies such as big data, machine learning and artificial intelligence can we help build a better, safer and more secure connected vehicle ecosystem.”

Even older cars that are being fitted with connected devices are not immune. Security researchers have been able to gain access to sensitive functions through direct or remote access, including USB, diagnostics, Bluetooth, wi-fi and infotainment consoles.

The report provides a number of recommendations, including strong boundary defence, interface filtering, securing update processes, aftermarket protection, data integrity, privacy protection, malware defence and continued R&D.

Story image
Google Cloud observes spike in DDoS volumes in last two years
Google Cloud has seen an ‘exponential’ rise in distributed denial of service (DDoS) attacks over the past decade, but the biggest attacks have only occurred in the past couple of years.More
Story image
Backups as a last line of defence are under threat
Malware can incrementally overwrite and encrypt backups, rendering them inadequate as an insurance policy against ransomware.More
Story image
Gigamon and Zscaler release cloud-first network detection for fluid workforces
“Our customers have significantly accelerated their digital transformation journeys during the pandemic, and this integration will help them better respond to threats.”More
Story image
Financial institutions in APAC region to invest millions in fraud prevention
"The pandemic is creating a lot of uncertainty, but the majority of FIs in APAC recognise that an end to end fraud management platform is strategic to differentiating themselves from the highly disruptive landscape they are playing in."More
Story image
UiPath and eSentire bring hyperautomation to Microsoft Security
UiPath and eSentire have announced a strategic partnership to deliver end-to-end security policy automation across multiple Microsoft Security services.More
Story image
Why zero trust could fail due to lack of understanding​, not technology
Security architects are being forced to re-examine the concept of identity, with many turning to a zero trust security model to provide a better architecture for protecting their sensitive resources.More