Who’s in the driving seat?
New connectivity capabilities and advancements in the Internet of Things are creating a bold new world for the automotive sector. However, drivers need to be assured that their security and privacy are looked after before taking the wheel in a truly connected car.
Cars have gone from standalone devices with limited electronics to fully connected vehicles, with systems integrated with Bluetooth, Wi‐Fi, cellular connectivity, GPS and satellite radio. Apple CarPlay and Android Auto have made smartphones an integral part of the automotive experience while entertainment, navigation and engine functions can now self‐report diagnostic statuses to cloud‐based operators.
Exciting though this may be, every connection increases the attack surface, providing new opportunities for hackers to access car systems and steal data. It is widely estimated that connected vehicles now rely on an exploding number of software lines of code. Manfred Broy, a professor of informatics at Technical University, Munich, estimated that connected cars contain close to 100 million lines of code — more than a commercial aircraft, a fighter jet and Facebook combined. Add this to over 30,000 component parts, up to 100 electronic control units (ECUs) and around 25 gigabytes of data created every hour, and it’s clear that cars have transformed into sophisticated computers that ultimately, will need securing, patching and updating regularly.
With unprecedented speed and latency abilities, 5G will be the fundamental enabler of the next phase of connected cars: autonomous driving. Instead of just reporting a status or delivering information for navigational guidance, the ultra‐low latency characteristic of 5G will enable response times to new traffic situations in less than 1 minute.
Whereas a car today is an anonymous entity in a large fleet of vehicles on a road, cars with autonomous systems that take advantage of 5G will broadcast information about themselves to other cars and to the surrounding infrastructure. In this world, the car is no longer an anonymous entity but operates as a moving entity within a network.
As 5G capabilities become more mainstream and influential in the automotive sector, manufacturers must ensure each remote vehicle and its data is secure, including all and any data that is being transferred to and from a central site. As an experienced player in this field, G+D Mobile Security is paving the way for the automotive solutions of the future.
While drivers can already be tracked today via their smartphones, they can still shut the phone off to escape such capabilities
-Marc Canel, VP of security at Imagination Technologies
“While drivers can already be tracked today via their smartphones, they can still shut the phone off to escape such capabilities,”says Marc Canel, VP of security at Imagination Technologies, which designs chips for connected and autonomous cars. “This will not be possible in an autonomous car as its location must be broadcast to the system at all times. As a result, 5G communications will have to be protected by fast and robust cryptography and session level protocols between applications.”
With the introduction of 5G networks, manufacturers now have a much more robust means of updating vehicles “over the air”. What the traditional IT industry has faced for years with patching is going to become a reality in the automotive sector. Vehicle updates and patches can be deployed without visiting the dealership.
Built‐in navigation systems today make a car’s location easily trackable by sophisticated hackers. Beyond that, upcoming systems will track drivers’ skills at operating the car, how they respect road laws and their attention levels, alertness and mood. Soon cars will also be able to fully integrate payment systems for tolls and on‐demand content and guidance. An example of advances already being made in this space is the partnership between Jaguar Land Rover (JLR) and Shell back at the beginning of 2017. On filling up at a Shell petrol station, Jaguar drivers can now make a payment via an in‐vehicle app, displayed on the cards touchscreen.
Peter Virk, Jaguar Land Rover’s Director of Connected Car and Future Technology, said: “Customers are increasingly using electronic payments and contactless cards. Making a payment directly from a car’s touchscreen will make refueling quicker and easier. With this new system you can choose any pump on the forecourt and pay for the fuel even if you’ve forgotten your wallet or can’t find your credit or debit card.”
The more cars advance in this way however, the more data they create. And this data, is all sensitive, and could become the object of attacks by nefarious actors. As information that represents the profile of an individual, it will also be high on the radar of the Information Commissioners Office (ICO), which oversees compliance with the General Data Protection Regulation (GDPR). “Privacy regulations play an important role in how personal data is protected and processed,” says Mr Canel. “Manufacturers will need to create architectures that meet the requirements of the local regulators, region by region, country by country.”
Manufacturers will need to create architectures that meet the requirements of the local regulators, region by region, country by country
Cars are already connected in more ways than most drivers realize. Driver assistance features including park assist, blind‐spot warnings and crash avoidance, as well as navigation and real‐time traffic services, all require connectivity. Once spaces where consumers could disconnect from the outer world, cars are now connectivity hubs.
As apps move from phones to cars and power connected and autonomous vehicles, they need to be trustworthy, reliable and transparent. As an expert in IoT security, G+D Mobile Security points out that while more data means a higher quality of services for the driver, extra functionalities could come at the cost of consumer privacy if processes and protections are not put in place. The more drivers rely on quick access to data and connectivity for the optimum driving experience, the higher the risk.
At some stage, it will fall to drivers themselves to determine whether some services are worth a potential loss of privacy. Enjoying cheaper insurance rates at the expense of allowing third parties to access driving data and location, for example, may be an acceptable trade‐off for many people. Any data that is transferred, however, means trusting the relevant third parties on their own ability to keep it secure from hackers.
“With drivers increasingly embracing the freedom that connected cars give them, the amount of data being collected on them can sometimes be forgotten,” says Cassandra Moons, data protection officer at TomTom. “There are plenty of drivers out there using apps by companies whose primary purpose is to monetize that data for targeted advertising purposes. Good, ethical data practice begins within and businesses that harvest user data need to build a culture that values users and puts their privacy first.”
Good, ethical data practice begins within and businesses that harvest user data need to build a culture that values users and puts their privacy first
-Cassandra Moons, data protection officer at TomTom
As vehicles become more connected to their surrounding environment, security needs to be considered beyond just the vehicle and instead in a wider systems context. Any compromise that disrupts the normal functioning of a vehicle is potentially very dangerous, so standards that define good practice can help manufacturers and infrastructure operators manage security risks in their products, services or activities. The role of G+D Mobile Security as a leading security partner is crucial to the success of such a framework.
Standards bodies around the world are beginning to work more closely with governments and industry to develop these standards, with data privacy and cyber security key priority areas. The CAR 2 CAR Communication Consortium, of which G+D Mobile Security is a member, for example, has been working in collaboration with the European Telecommunications Standards Institute and European Committee for Standardization to create standards that ensure the safe interoperability of cooperative systems spanning all vehicles classes.
The growing number of programs set up to develop standards for connected vehicles also include efforts, such as by the British Standards Institute (BSI), to examine how and if car leasing and hire companies and auction houses are removing personal data that may have been stored by the vehicle. This could include data showing where the car was driven, who was in the vehicle and any stored phone numbers.
“Unless someone takes responsibility for wiping it, this data could be accessed by the next user or owner,” says Nick Fleming, head of transport at the BSI, which published two standards last year covering cyber security at both the vehicle and infrastructure level. “Someone could be responsible for erasing this to comply with GDPR and the method of doing so could be an area for standards to ensure that it is done correctly.”
All parties must work together to achieve security of connected cars. Software must be secure and managed through its lifetime, the storage and transmission of data needs to be controlled, and the system should be resilient to attacks and able to respond appropriately when its defenses fail. The internet of things will no doubt transform the driving experience for the better but while it’s inevitable drivers will lose some control of the wheel, that must not come at the expense of their physical or virtual security.
Find out more here.