Driverless cars may be a thing of the future, but connected cars aren’t, so the entire automotive information security ecosystem has to be locked down, says PAUL WILLIAMS, Fortinet country manager for SADC.
Driverless cars, now being tested on public roads in countries such as the United Kingdom, France, and Switzerland, may be a futuristic dream in South Africa. But connected cars with inbuilt intelligence, and digitally-enabled public transport, are already here; presenting multiple potential security risks to motorists, manufacturers and automotive partners.
On the road to the intelligent driverless car of the future, we are already connecting vehicles and equipping them with a range of intelligent features. These connected, intelligent systems gather potentially sensitive information and communicate it with a control or command centre. Point of sale information, entertainment and online services delivered within the vehicle have to be secured. As we advance toward fully autonomous vehicles, controls including steering, braking, engine management and navigation will depend on a fully secure ecosystem supported by a reliable 3G/4G/5G and Carrier Wi-Fi connection, to function safely.
Effectively securing this ecosystem will depend on close collaboration between vehicle manufacturers, application developers, service providers and carriers. In South Africa, achieving self-driving cars will also depend on expanded Mobile or Wireless coverage across towns, cities and the country. Efforts are already being made internationally for automotive, IT and security stakeholders to work together more closely to ensure a fully secure environment for self-driving and connected cars, but their efforts will have to intensify as the pace of smart car development picks up.
Incorporating more and more technology into a vehicle, whether for improving the customer’s driving experience or enhancing the vehicle’s performance, must be balanced with the management of their potential threats and risks. Ensuring that appropriate and effective security technologies are implemented within these systems must be a mandatory objective, even if it’s not (yet) a regulatory requirement.
Additionally, a growing problem with many IoT devices is that they use common communications programs that have no security built into them at all. As a direct result, an alarming number of IoT devices to date have been highly insecure. We need to achieve better for autonomous cars than what is the current IoT benchmark today.
At the same time, manufacturers must work with their different technology and communications suppliers, across all of the territories where their vehicles are sold, to ensure that any network connections to the vehicles are appropriately hardened.
Automotive security can be addressed as three distinct domains that may make use of similar techniques in some instances, and require novel treatments in others.
- Intra-vehicle communications. Smart vehicles will have several distinct on-board systems, such as vehicle controls systems, entertainment systems, passenger networking, and even third-party systems loaded on-demand by owners. To a certain extent, these systems will need to engage in “cross-talk” to bring new services to life, but this cross-talk needs to be closely monitored and managed by systems such as firewalls and Intrusion Prevention Systems (IPS) that can distinguish between legitimate and normal communications and illicit activity in the car’s area network.
- External communications. Many, if not all on-board systems will have reasons to communicate to Internet-based services: for manufacturer maintenance, for software updates, for passenger Internet access, for travel and driving instructions, for service requests, to purchase items or services, or to backup data. External communications will very likely be both “push” and “pull” – they may be initiated either from inside the vehicle, or to the vehicle from a manufacturer or the Internet. This also means that traffic to and from the vehicle will need to be inspected and managed for threats and illicit, defective, or unauthorized communications using firewalls and IPS-like capabilities.
- Next, the connectivity infrastructure used by a vehicle will likely be based on well-established cellular networks, such as 3G/4G/5G and Carrier Wi-Fi data services, but with a twist. While these wireless services already provide connectivity to billions of smart phones and other devices around the world today, they also suffer from inconsistent security. Smart, driver-assisted, or even driverless vehicles will raise the stakes significantly. A directed attack on or through the “connected” network could trigger significant, safety-critical failures on literally thousands of moving vehicles at the same time. Securing “the connected” networks providing critical vehicle communication will require a thorough review in light of such potential catastrophe.
- Finally, high-assurance identity and access control systems suitable and designed for machines, not people, will need to be incorporated such that: cars can authenticate incoming connections to critical systems, and internet-based services can positively and irrefutably authenticate cars and the information they log to the cloud, or transaction requests they may perform on behalf of owners – such as service requests or transactions to buy fuel or pay tolls.
Unless efforts are stepped up to secure the entire automotive environment, Gartner’s vision of driverless vehicles representing approximately 25 percent of the passenger vehicle population in use in mature markets by 2030 will be fraught with new risks.
From a hacker’s perspective, connected and driverless cars will represent yet another opportunity to wreak havoc by remotely accessing a vehicle and compromising one of its onboard systems, resulting in a range of risks from privacy and commercial data theft, to actual physical risks to people and property.
Here are some attacks that are likely to be targeted at highly connected and autonomous cars:
Privilege escalation and system interdependencies: not all systems and in-car networks will be created the same. Attackers will seek vulnerabilities is lesser-defended services, such as entertainment systems, and try to “leap” across intra-car networks to more sensitive systems through the integrated car communications systems. For instance, a limited amount of communication is typically allowed between an engine management system and an entertainment system to display alerts (“Engine fault!” or “Cruise Control is Active”) that can potentially be exploited.
System stability and predictability: Conventional, legacy car systems were self contained, and usually came from a single manufacturer. As new autonomous cars are developed, they will very likely need to include software provided by a variety of vendors – including open source software. Information technology (IT), unlike industrial controls systems such as legacy car systems, are not known for predictability. IT systems, in fact, tend to fail in unpredictable manners. This may be tolerable if it is just a matter of a web site going down until a server re-boots. It is less acceptable in the event of a guidance systems being degraded even slightly when an adjacent entertainment or in-car Wi-Fi systems crashes or hangs.
Also expect to see known threats be adapted to this new target, expanding from common Internet platforms like laptops and smart phones an IoT device like an autonomous car. For instance:
Botnet Attack: The Botnet “robot” attack is on the increase to an extent of the endpoint is now becoming the victim, without them realizing the attack at first. This attack can be targeted to a single endpoint or a handful of machines, network and endpoints simultaneously, depending the severity of the attack. The infection takes place normally through malware, with a specific Trojan viruses which allows the cybercriminal to start controlling the environment. The answer is to ensure an Application control function, Botnet detection with IP Reputation and Distributed Denial of Service (DDoS) system is in place to monitor and defend against such attacks. If the driverless car is receiving email type messages or the same type of format, nothing stops this way of communication being compromise.
Ransomware: Ransomware is certainly on the rise on PCs and mobile phones. But driverless cars represent an almost ideal target. Imagine the following scenario: a hacker uses the in-car display to inform the driver that his car has been immobilized and that a ransom must be paid to restore the vehicle to normal operation. While a laptop or tablet may be restored relatively easily with potentially no damage, assuming backups are available, a car is a very different story. The owner may be far from home (the ransomware could be programmed to only launch when the car is a predetermined distance from its home base.) Naturally, few dealerships would be familiar with resolving this sort of problem, and specialist help would most likely be required to reset affected components. The cost of such a ransom is expected to be very high, and will likely take time. In the meantime, the vehicle may have to be towed. So the question is, what is the amount of the ransom demand that we expect to see? Estimates are that it is likely to be significantly higher than for traditional computer ransomware, but probably less than any related repair costs so that the car owner is tempted to pay.
Spyware: Perhaps a more attractive target for hackers is collecting data about you through your car. Driverless cars collect massive amounts of data, and know a lot about you – including your favourite destinations, your travel routes, where you live, how and where you buy things, and even the people you travel with. Imagine a hacker, knowing that you’re travelling far from home, sells that information to a criminal gang who then breaks into your home, or uses your online credentials to empty your bank account.
That last risk exists because your driverless and connected vehicle is likely to become a gateway for any number of electronic transactions, such as automatic payment of your daily morning coffee, or parking charges, or even repairs. With sensitive information stored in the car, it becomes another attack vector to obtain your personal information. And with RFIDs and Near Field Communications (NFC) becoming commonplace in payment cards, accessing their details through your car would be another way to capture data about you and your passengers.
And last but not least, there are legal and authenticity issues. Can we consider the location data of the car as authentic? That is, if your car reports you opened it, entered it, and travelled to a particular location at a certain time of the day, can we really assume everything happened as recorded? Will such data hold up in court? Or can this sort of data be manipulated? This is an issue that will need to be addressed. Similarly, if cars contain software from several different providers, and spends the day moving from one network to another, who is accountable or liable for a security breech and resulting losses or damage? Was it a software flaw? Was it negligent network management? Was it on-board user-error or lack of training?
Mini embraces innovation
Mini has launched its 2018 models with customisable interior features and major technology upgrades, writes BRYAN TURNER.
Mini has never been known as a high-tech car, due to its small form factor being the differentiator. But now the well-known brand has received a long-awaited strategy overhaul, bringing with it a new technology focus. Even the Mini logo underwent a subtle redesign, opting to use negative space to show the gaps in the wings of the logo instead of a raised metal look. This forms part of the new “MINImalism” strategy.
Mini’s strategy for now and the foreseeable future is to increase automation in its cars.
Connected Drive, pioneered by BMW, allows for an intelligent connection between the car and smartphone. This enables one to check the fuel level, heat the interior and start the onboard navigation, all without having to be near the car, from a smartphone. When one is in the car, calendar events with location data can trigger the onboard navigation to calculate ETAs and time in traffic, offset on real-time data collected through the smartphone’s Internet connection.
We tested it with both the Mini Connected Drive and BMW Connected Drive apps, and both interfaced well with the car. Surprisingly, the BMW Connected Drive app seemed to interface slightly better with the Mini than the Mini Connected Drive app.
While the app is recommended, it’s not required, because the car integrates excellently with Bluetooth-enabled devices. iPhone users are in luck, because the entertainment system includes CarPlay, Apple’s simplified connected car interface software. This allows for music, maps and other CarPlay-enabled apps to be shown directly on the car’s touchscreen ,as they do on the iPhone, save some text-sizing adjustments.
Pairing the iPhone is as easy as holding down a button on the steering wheel and tapping the car when it appears in the built-in CarPlay menu on the iPhone. No app download is required.
MINImalism runs through the car’s technology. The Mini’s 6.5-inch touch screen control panel shows an image of the car with layman’s terms of what the internal systems are doing, keeping to minimalist design patterns. The new Mini Coopers come standard with a Harman/Kardon 12-speaker setup, which features in the Mini Connected Drive.
The steering wheel is redesigned, now featuring more buttons to help keep one’s hands on the wheel. The left side of the wheel features cruise control buttons, while volume and call controls are located on the right side. This bears a strong resemblance to the BMW configuration, featuring similarly placed steering controls.
With all the Mini’s customisations, the company invites consumers to take it further with optional extra.s Mini Yours Customised (yours-customised.mini) is a web platform where one can choose custom side scuttles, custom cockpit facia, customised LED door stills and even a customised door projection light. These parts are either 3D-printed or laser-cut, depending on the material, to the specification outlined on the web app.
As optional extras, one can opt for a wireless charger in the armrest compartment and secondary front USB port for both the driver and front passenger, to charge their phones simultaneously. A SIM card connecting to the 4G/LTE network can be fitted directly into the car, allowing for use of Mini Teleservices and Intelligent Emergency Calling, with automatic vehicle location reporting. The Mini Find Mate is an extra service that uses wireless tags to track items from the car’s onboard system or from the Mini Connected Drive app. This tag can be attached to frequently misplaced items or travel items, like backpacks, suitcases and briefcases.
Future Minis are expected to be electric by 2019 in Europe and are expected to arrive in South Africa in mid-2020. This seems realistic, considering that the BMW i3 forms part of the same group.
Overall, the Mini range has received a subtle yet effective cosmetic and technology overhaul, delivering loads of functionality in a minimalist package.
Why SA needs connected taxis
Traffic across South Africa continues to be a headache and digital acceleration may just be the answer in mitigating daily congestion, says CLAYTON NAIDOO, General Manager, Sub-Saharan Africa, Cisco.
Creating smart cities and digital workplaces means connecting infrastructure and digitizing transport systems, particularly in the taxi industry. Can you imagine what South Africa roads would looks like in 10-years-time, if taxis were connected?
According to Statistics SA’s 2013 Household Survey, taxi operators transport over 15 million commuters daily. Around 200,000 minibus taxis, across 2 600 taxi ranks, provide the main mode of transport for 50% of SA’s population earning less than R3 000 per month.
The impact of the taxi industry on the daily lives of South Africans is huge, research by Transaction Capital, a financial services provider in the taxi industry revealed. An estimated 70% of people who attend educational institutions make use of taxis, 69% of all South African households use taxis in their transport mix, and a staggering 68% of all public transport trips to work are in taxis. Plus, minibus taxis reach remote places other forms of public transport don’t – the average South African lives within a 5-minute walk of a minibus taxi.
Sadly, the industry is still faced with challenges when it comes to road congestion, accidents and safety, and with drivers often forced by financial needs to work long hours. But a future where taxis can operate efficiently and profitably, while improving safety and providing a more convenient customer and employee experience, is possible. But it requires a digital business transformation.
Our cities need to start connecting infrastructure and piloting these digital experiences now. Globally, there will be 380 million connected vehicles on the roads by 2020, but that is only half the battle. The first step toward making the frictionless commute a reality is for local governments to begin investing in technology architectures and physical infrastructure to accelerate connected transportation systems and create workplace innovation.
On the strategic side, transportation officials can begin by identifying best practice. It is best to first pinpoint a problem that is unique to a city or region. For example, a city with notorious traffic congestion might want to start integrating smart sensors on roadways to alert drivers and connected vehicles in real-time of potential hazards, and possibly prevent accidents before they happen.
How would that look in practice? Let’s take the example of Sipho Ngwenya, a fictional character, from Zola in Soweto, one of the 600 000 people employed in the industry.
He gets up at 4am everyday to get to the taxi rank where he parks his mini bus overnight. Sipho hopes to be one of the first drivers there to ensure he fills his taxi with commuters, who travel to the northern suburbs of Johannesburg for work and school.
The earlier he starts transporting people, the better chance he has of generating the daily “rental fee” he pays his boss – the owner of the minibus. If Sipho is even 10 minutes late, the queue of people at the rank may have halved. If his taxi is the last one in the queue, it may not fill up, and he may need to drive around the block to find more commuters. The delay means longer hours for him, his conductor-cum-assistant (guardjie) will have to spend more time calculating and collecting fares, and it will increase his costs – he’ll spend more money on fuel.
Fast forward six-months later, when the Joburg metro area would have implemented the Cisco Connected Mass Transit technology solution to connect the taxi industry. Sipho’s alarm goes off at 4am. He grabs his phone and logs onto the Cisco platform before he jumps out of bed: the weather is clear but there’s been an accident overnight on his route to the rank – he’ll have to take a detour. He checks once again just as he leaves home, and sees that he has time to grab breakfast on his way.
He is the first driver to arrive at the rank that morning – stress-free and ready to start. The rest of the minibuses are stuck behind the accident. He loads commuters and manages to get all of them to their destinations 10 minutes early, by checking the best routes. Payments are no longer collected in person – there is now an easy mobile payment option that customers love, especially the young ones. And Sipho no longer needs to search for commuters – they stop his minibus on the road because it is marked as a ‘connected minibus’. This is a smart workplace.
These digital solutions are real and available to the SA taxi world. There are some caveats, though: Cisco’s international experience shows that these solutions are best implemented alongside awareness campaigns for commuters and government incentives to drive adoption, as well as ensuring the regulatory environment is conducive. Luckily, technology itself isn’t too much of a problem: the solutions work with existing IT systems local governments have installed.
Imagine South Africa in a decade. Now imagine a South Africa where traffic congestion is a thing of the past.