Most people reading this article will drive a connected car, which is essentially a car that can link to the Internet. GPS enables us to navigate through unknown territory. Smart radio selects our favorite music channels to play on our entertainments systems. And “really” smart cars are now driving us places autonomously while we sit back and watch a movie. However, with this increased level of comfort and convenience comes the potential threat from hackers who are increasingly looking for ways to infiltrate our vehicle Nirvana.
Back in the early 1990s, following an increased awareness of the causes of global warming, the United States persuaded automobile manufacturers to install systems into their vehicles that would enable the easy diagnosis of car exhaust emissions. Thus, the On-Board Diagnostic (OBD) port was born. Today, the OBD, or OBD-II to give it its upgraded designation, has become a magic link to many other facilities and functions of the modern automobile. This port can now access information on virtually any system in your automobile from brakes, transmission, steering, and even control of your automobile’s entertainment system.
Following a lead initiated by auto-hobbyists, the OBD-II port is capable of linking to a range of devices that can provide even more information and control of your vehicle. And just to push the envelope one step further, these OBD-II devices, which were originally manual-only ports, can now link to the Internet, which has opened the market to a flood of services and applications from fleet management to the parental control of young drivers.
With this panoply of potential connectivity comes the opportunity for determined hackers to invade our personal vehicle world and access our automobile’s vital systems. From least to worst-case scenario, this can mean accessing personal data or behavior patterns of the driver, to taking full control of our vehicles through remote access. While the former is an inconvenience, the latter could result in a fatal accident. And the threats faced by drivers of connected cars just keep on growing. From attacks through mobile OBD-II apps to potential attacks while your automobile is upgrading its firmware, hackers continue to find new ways to exploit new connected vehicle vulnerabilities.
And it’s not just Internet-connected or autonomous vehicles that are in the firing line—older vehicles that contain Wi-Fi or SIM-enabled ODB-II connections can also be infiltrated through the OBD-II port, which brings the number of potential target vehicles into the millions.
So, what can be done to optimize driver safety? Firstly, this should be the car manufacturer’s number one concern. While having your car stolen because somebody cracked your wireless key code is unpleasant, it’s not necessarily life-threatening. Having a hacker take control of the functions of your automobile while you’re driving is another matter. Fortunately, while the number of automobile hijackings is thankfully low, it can and has been done. The famous case of Charlie Miller and Chris Valasek who hijacked the functions of a Jeep Cherokee in a controlled hack in 2014 is a case in point.
One way to prevent automobile hijacking is to secure vehicle security at the level of the affected endpoint devices themselves. This would require the incorporation of real-time intrusion monitoring to detect attacks on the vehicle while it was in motion. However, this approach can be costly and is mostly applicable to new advanced models of cars.
The second, and preferred option is to apply a network-based solution to reduce the attack vectors that threaten Internet-connected motor vehicles. This solution protects the communication link between connected vehicles and the automotive cloud as well as to other Internet communications services, such as infotainment. A further advantage of the network-based solution is the possibility of incorporating artificial intelligence capabilities that can quickly identify anomalies in network communications.
The network-based solution is also relevant for older cars, and it should therefore be adopted by CSPs and automotive service providers like fleet management companies to provide security for their clients and create a differentiation of their services.
Read more about connected cars in a special Allot Threat Bulletin Report: Connected Cars – Attack Vulnerabilities.