Total Recall? Securing Connected Cars

September 29, 2016 by Marie Hattar

Product recalls are exactly what every manufacturer doesn’t want. They’re expensive – sometimes prohibitively so – they’re complicated to deal with, and they can put a dent in reputations too.  A recent safety recall by General Motors involved over four million vehicles across several brands and models, involving significant costs.

However, the really interesting thing about this recall isn’t the scale, but rather why the cars were recalled.  In the affected cars, the airbag sensing and diagnostic module (SDM) was found to be faulty, instigating a diagnostic test under certain driving conditions which in turn meant that the airbag would not inflate when required.  Vehicle owners have been advised to take their cars back to General Motors, who will ‘reflash the SDM firmware free of charge’.  In short, this isn’t a mechanical problem – it is a digital one.

‘Connected car’ technology covers an extremely broad range of applications. You might not think that your current car falls under this banner, but a vehicle doesn’t have to be self-driving to be connected.  Vehicle location, OnStar roadside assistance, Satellite radio, Bluetooth capability (so your smartphone can use your car speakers among other things), rear-view cameras, remote start, and onboard Wifi are all different versions of connected car technology. ‘Infotainment’ possibilities such as being able to access the weather forecast, sports scores, games and films in-car also rely on internet-enabled technology. And of course, self-driving cars are the next great frontier.

As ‘connected cars’ become increasingly commonplace – and complex – it is vital that car manufacturers think carefully about both the practical and the security challenges involved when embedding communications technologies in motor vehicles.

First, as mentioned by a security researcher in the above article, manufacturers need to take steps to ensure that bugs and vulnerabilities identified in vehicles’ computing systems can be patched remotely.  As connected cars become a tastier target for cybercriminals, there will be more and more malicious activity aimed at identifying possible exploits in cars’ software applications. Fixing these vulnerabilities onsite will be impossible from a cost and logistics perspective – but performing over-the-air updates also has to be a secure process, that cannot be interfered with by a malicious party.

This leads to the question of malicious cyber activity directed at connected cars themselves. How can car manufacturers ensure that the multiple elements within their vehicles that connect out to the internet are not also presenting an easy and enticing route in for cybercriminals?

Why would malicious hackers want to find their way in to a connected car? There could be useful data for them to mine – personal contact details and financial information, for example. Or, they could seek to interfere with the vehicle itself, in a form of cyber vandalism or even terrorism.

Protection against such malicious activity demands a comprehensive program of testing, to check for both known vulnerabilities and the evidence that criminals are probing for new and as-yet unknown vulnerabilities. At Ixia, we have developed a comprehensive range of test services for connected car manufacturers, which we go into in more detail in a Case Study. You can access it here.

Connected cars bring exciting possibilities in terms of efficiency and entertainment, but they are also a hefty potential security challenge.  At Ixia, we’re able to help manufacturers drive innovation through comprehensive testing.