The Connected Car: An accelerating cyber security issue?

This is a contributed piece by Simon Moffatt, Director Advanced Customer Engineering at ForgeRock


The Internet of Things is making our homes and cars smarter, connecting everything to everything else. Automated vehicles are expected to revolutionise motoring by 2020 and it’s been reported that the first trials of driverless cars will be take place on Britain’s motorways sometime next year.

Meanwhile, a driverless lorry has already been tested on a public road in Germany last October.

Today it’s estimated there are up to 60 million connected cars worldwide. Equipped with internet access, these vehicles offer drivers a multitude of benefits and smart options – such as enhanced engine controls, automatic crash notifications and safety alerts, along with apps that allow owners to interact with their vehicle from any distance.

Within the next five years, Gartner predicts there will be over 250 million smart cars. But many of these vehicles will potentially have limited capabilities with respect to identity management, making data vulnerable, due to the lack of necessary sharing capabilities. And that weakness will prove to be a big problem when it comes to delivering a trusted, personalised driving experience.


Unlocking the doors to connected vehicle hackers

Back in 2011 researchers [PDF] from the University of Washington and University of California published a paper on how criminals could remotely compromise a vehicle and gain complete control of a car. More recently, Nissan was forced to suspend its smart car companion app after researchers found it could be used to access control systems in its Leaf electric cars, due to a lack of API protection.

But what most caught the public’s imagination was the now infamous hack of a Jeep Cherokee. Last July Wired magazine published an account describing how two security researchers were able to wirelessly hack into a vehicle, via its Uconnect ‘infotainment’ system, as it was being driven by a journalist at 70 mph down a highway. During the controlled hack, the ‘attackers’ first took control of the entertainment system and windshield wipers, before disabling the vehicle’s brakes, commandeering the steering wheel, and finally cutting the transmission to immobilise the Jeep. What’s more they were able to track the Jeep’s GPS coordinates, measure its speed, and trace its route.


Exploiting the flaws: the cyber security challenge

As cars evolve to become connected computerised platforms, they are becoming an increasingly attractive target for hackers looking to compromise autonomous driving systems to cause accidents or to gather telemetric data and gain detailed insights into a driver’s day-to-day routines. Just as worrying is how the synchronisation of consumers’ mobile devices with in-car systems puts their personal data at risk of remote theft by a hacker who has compromised a vehicle’s Bluetooth or Wi-Fi interface, unless the necessary remote revocation capabilities are applied.

Clearly, identity is set to become a critical aspect of the connected car – the identity of the user, of the car and its connectivity system, and the devices that connect with the vehicle itself. In terms of security, it will be essential that only the vehicle’s operator – whose identity is authenticated in advance – can control the various on-board connected devices. That means an effective identity management platform needs to be deployed.

With this platform in play a car’s identity could be linked to potential car drivers, while other passengers gain specific authorisations in terms of the actions they can perform – for example, access to the onboard entertainment system only. The use of such digital personas (often common in standard OAuth2 pin-and-pair ecosystems for devices such as smart TVs), can help to provide a secure personalised experience.


Identity based security: gaining consumer trust

Consumers will steer clear of connected cars if they believe new technologies put their safety, and their personal data, at risk. In the future, multi-layered security approaches will be essential to protect connected smart cars from remote ‘jacking’.

To this end, a number of multi-factor authentication approaches are already being tested in tandem with onboard identity management systems to increase vehicle security. Alongside validating a driver and authorising the start of a vehicle, these authentication systems could be used to deliver a fully customised driving experience complete with personalised driver settings.

The connected car clearly represents an exciting prospect. But consumers will need to have complete trust that the technology is both safe and secure. That means that auto manufacturers will need to address IoT information security and identity issues in order to protect both the legitimate owner, and other occupants in the vehicle. But by adopting a multi-layered approach to identity and data management, car vendors and the associated vehicle ecosystem, can start to deliver a truly personalised and modern driving experience.


Further reading:

The IoT “time bomb” report: 49 security experts share their views

What does the future of driverless cars look like?

Driverless cars in the UK by 2030?


« Like Huawei, HTC hedges its bets on a premium camera with new device


After giving up on BB10, BlackBerry abandons the high end »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?