Tesla recently demonstrated its new electric pickup vehicle, dubbed “Cybertruck”, which has polarised public opinion. Some have stated it looks like a vehicle from a child’s sketch come to life, while others consider it to be a vision of the future. There were also concerns about the safetyof the unusual cube-like design as the prototype lacks windscreen wipers, turn signals and side mirrors. Whichever side you agree with, givenTesla’s ability to set trends, it’s possible this design could determine what the exterior of cars will look like in the future.
To be honest, I don’t like this car and wouldn’t own it or drive it. However, the use of the term “cyber” in the brand name is very relevant for current autonomous vehicles. In time this will be important not only for this truck with its unusual design, but for the automotive industry in general. Today, more and more cars are becoming cyber cars, and in the future it’s likely every car will be a cyber car. Cyber here doesn’t mean that they will all have a polygonal cyberpunk-like design though. It means that the focus of the car’s operating process will rely on digital systems, both inside and outside the car. So, the logical question here is: “how secure will all those cyber cars of future be?”.
Based on our experience working with car manufacturers on penetration testing and vulnerability research, we have seen two top issues that raise concern around automated and cyber cars:
#1 Impact on vehicle safety
One of the biggest worries is that someone can exploit vulnerabilities in a car’s system to take over a connected car’s control or manipulate its functions. That’s why we recommend car manufacturers conduct regular assessments and penetration tests to detect vulnerabilities before the car is released. They should also ensure that all components that can affect car security are tested.
To mitigate risks, if any security issues are found in released cars, best practice is to enable over-the-air (OTA) updates. With this technology, patching a car’s software resembles the way we update the software on our smartphones, as it allows us to install necessary updates for a car remotely, without the need to go in for a service. Provided the communication channel between the car manufacturer and the car is reliably protected, this is quite good practice.
OTA updates are still not commonplace in the auto market; it’s a real challenge to deploy rapid security updates which comply with all the quality and safety requirements for all vulnerable Electronic Control Unit (ECU) types. In case the OTA update distribution isn’t possible, we recommend deploying intrusion detection and prevention security modules to ECUs. This allows virtual patching alongside protection of in-vehicle systems, including connected devices, communication forms used and applications launched.
Car manufacturers can also introduce special bug bounty programs, so third-party researchers can report issues to resolve before the general public and therefore, threat actors, are aware of them.The good news is that some carmakers already support these initiatives. So, we hope that this step can transform from a good option to an industry standard soon.
#2 Private data exfiltration
Data is a form of second fuel for a connected car — the more contextual information the car has, the smarter decisions it can make on the road. For example, there are infotainment (IVI) systems — which deliver entertainment and information to the driver and passengers — and telematics units (TCU) that control the tracking of a car. They can collect and transmit to car manufacturer or app developer, a vehicle’s GPS location, mobile data (including information from social networks), driver style information and voice assistant recordings, as well as communication information.
Car location, the driver’s favorite routes and places (such as shops, cafes and gas stations), data from paired smartphones (including contacts, calls and voice requests) and data from in-vehicle cameras and microphones are held both by the vehicle itself and in the wider ecosystem. This can be a tempting target for malefactors. If this private information is in the wrong hands, it can be used for stalking or blackmailing. And, even if we don’t take into account the “usual suspects” – i.e. cybercriminals – the privacy of the owner of smart car is a serious question nowadays. Therefore, consumers are increasingly interested in how the data they generate while driving a cyber car is used.
Connectivity affects not only new cars but used ones as well. For example, it has been provenalready by our researchers, that connected cars are introducing some privacy risks for a forgetful owner. When a connected car is sold second hand, it can be possible for the new driver to access all of the same apps and data as the previous owner, if he or she didn’t log out. This can lead to the compromise of previous owner accounts – even ones that have card or bank details connected. Depending on the type of services saved in the car’s software, this could lead to financial or reputational losses, among others.
This means that, surprisingly, car manufacturers now have a new asset to deal with – their customer’s private data. What happens if this data leaks? Do car manufacturers have a plan on how to deal with these privacy issues?
Those are definitely questions to think about, but it is clear now that car manufacturers must also take care of privacy. Encryption of a vehicle’s communication networks when transmitting sensitive data outside a car is a good place to start in this area.
Driving automotive сybersecurity
The development of connected vehicles is incredibly exciting and combines two of my favorite interests – cars and technological innovation. We are now seeing how advancements in technology are driving the development of the automotive industry and its safety in today’s world. For example, a neural network can be trained to recognise anomalies under regular operating conditions through telemetry from a car engine.
I believe that cybersecurity posture of a vehicle will soon become a competitive advantage for car manufacturers, as customers are now more concerned about privacy issues. Besides that, some security issues can also pose danger to physical safety, which is the main factor for the majority of the public when choosing a car. In other words, it is important to show now what an automotive company is doing to protect the drivers of its cars from security risks.
So, if you ask me what makes a car a cyber car, I’d say that it is not simply a sci-fi, or even retro-sci-fi look. It is not the ability to drag another truck uphill or have cameras instead of rear-view mirrors. I’d say it is the ability of the car to cope with the challenges that connectivity and smart ecosystems bring to the way a car is produced, sold and used. Such cars have yet to arrive on the market but I’m sure that when the cybersecurity and automotive industries collaborate, this will happen very soon.