James Steidl - Fotolia

The cyber risks of connected vehicle technology

Connected vehicles are raising big cybersecurity questions, but proposed regulations such as the SPY Car Act could help protect consumer data.

The Internet of Things continues to gain popularity with consumers, and the automobile industry has taken notice. Auto makers continue to fine-tune wireless technology that provides Internet connection to help conduct business on the go, as well as features to benefit the driver such as notification of potential safety hazards and pending crashes. Car owners can also download smartphone apps to remotely unlock their cars, check its engine status or find its location. 

But along with these technological advantages, connected vehicles also come with the same cybersecurity vulnerabilities as any other IoT device, said Daniel Allen, a research fellow at the Center for Climate Change and Security. Allen is also a U.S. Army/Desert Storm veteran, and was recently announced as a finalist in the 2016 Entrepreneurs' Organization-Houston Veterans Business Battle for his proposal to develop an online education center specializing in the cybersecurity of connected vehicle technology. In this Q&A, Allen discusses connected vehicles' cybersecurity vulnerabilities and how regulations such as the SPY Car Act are being designed to protect consumer data.

What are some of the cybersecurity risks facing consumers and automakers as connected, IoT-type technology is increasingly implemented in automobiles?

Daniel AllenDaniel Allen

Daniel Allen: Connected vehicle technology potentially increases driving safety and efficiency through its ability to communicate with the Internet and other automobiles. But this connectivity, or interconnectedness, also exposes vehicles and the people inside of them to serious risks from cyberthreats. These vehicles are designed as the ultimate mobile, Internet connected device or Hot Spot, like a portable wireless LAN that provides Internet connection access from any location. The cyber risks that consumers and automakers face stem from weakened basic cybersecurity fundamentals of confidentiality, integrity and authentication, or CIA.

Today's connected vehicles have morphed into computers that you can drive around in, and they are susceptible to many of the same cybersecurity risks as desktop or laptop computers.
Daniel Allenresearch fellow, the Center for Climate Change and Security

As vehicles become more connected, more autonomous and become part of the Internet of Things, this ability to communicate with other vehicles and infrastructure through wireless networks increase the threat of cyberattacks. This increases safety and security risks of the individuals within the vehicle. Simply put, today's connected vehicles have morphed into computers that you can drive around in, and they are susceptible to many of the same cybersecurity risks as desktop or laptop computers.

The vulnerability of automotive systems to hacking was demonstrated by cybersecurity researchers Charlie Miller and Chris Valasek in 2013, when they managed to take control of several functions of a Toyota Prius. In 2015, they remotely hacked a Jeep Cherokee from 10 miles away through its Uconnect feature. They were able to change its speed and control its brakes, radio, windshield wipers, transmission, and other features. This demonstration was a wake-up call for the industry: 1.4 million cars were recalled for software updates, and an estimated 471,000 vehicles were vulnerable.

What are some potential compliance measures being proposed as a result of the cybersecurity risks of connected vehicles technology?

Allen: Automotive vulnerabilities to cyberattacks are now at an all-time high, which prompted the government to take direct action. On July 21, legislators introduced first-of-its-kind legislation: the Security and Privacy in Your Car Act. The legislation directs the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal security and privacy standards for today's connected cars.

The compliance measures outlined in the SPY Car Act address the convergence between automotive technology and computer technology. Automobiles are quickly becoming the ultimate mobile device with different computer connections being implemented into vehicles, including telematics systems, sensors, Bluetooth, and 802.11 IEEE wireless LAN standards.

Do you think these standards would help protect consumers with connected automobiles?

Allen: The resulting standards should provide effective protection for consumers with connected automobiles if they are similar to the cybersecurity compliance standards that were created for other sectors of our nation's critical infrastructure. It is important to note that industrial control and SCADA systems share important similarities with the automobile industry: Both are industries that have been around a long time but have not been successfully targeted by unethical hackers.

This has led to a weak cybersecurity strategy with little or no defensive security prerequisites, which makes them more vulnerable to exploits. Also, both industries have yearlong product development cycles so by the time the product enters the market the mitigations to the known security threats become inconsequential when new cyberthreats surface. The Stuxnet worm was an example of how industrial control systems could be compromised due to their inherent lack of defensive security and long product cycle developments.

Next Steps

Learn more about the evolution of connected vehicle technology and how Ford is developing automobile communications using technology designed for space robotics.

This was last published in February 2016

Dig Deeper on Vulnerability assessment for compliance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What stipulations must be included in regulations such as the SPY Car Act to ensure connected vehicle technology remains secure?
Cancel
Just more of the same old security basics, of course. Maybe we'll get it eventually.
Cancel
Scary.. I have had a car stolen in the past. Just thinking someone may be able to hack my car to gain access or take control of it while I'm driving is nuts. If the connect cars are truly safer to drive that may be fine, to a point. There are still a lot of older cars that are not connected and could cause issues for those that are those don't play by the same rules. Not only that, the cost to repair the new technology is staggering. How I long for the days of the cars most of us could repair ourselves without running to a mechanic just to change a headlight.  
Cancel
Scary is right- I think the proposed compliance rules such as the SPY Car Act are a step in the right direction to protect driver data as these connected cars become more commonplace. There will likely be a lot of trial and error before compliance rules do enough to secure driver info, however, leaving the connected vehicles (and their owners) vulnerable in the meantime.
Cancel
I just sold my 2012 Infiniti sedan that was riddled with computer-related problems and bought an old-school sports car that has minimal computers/sensors. I can add a new head unit so I can tie in my phone to listen to my music, make calls over Bluetooth, and use Google Maps. That's about as modern as I need to be - everyone else can have their new-fangled tech that merely serves to create problems and risks.
Cancel
About the only luxury I have in my current vehicles is radio controls on the steering wheel. It's nice but I could live with out that as well..My feeling is if it is not making my car safer, I do not need it. Even then there are features that a good driver does not need.. Do we really need parking assist? Onboard entertainment? Back up cameras ? lane departure? Automatic braking?.. I say pay attention, put down the phone and drive like you were taught. If you had to take your driving test again today most people would fail.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close