The “connected” car market is expected to be worth $44.4 billion in 2018, with 21 million of the cars sold in that year fitted with so-called smartphone integration systems. Car connectivity, now a bona fide part of the Internet of Things (IoT), offers endless opportunities for new features and services, ranging from simple music and video streaming capabilities to the remote control of vehicles. In addition to the many new conveniences and opportunities this technology will bring, new security risks will also rise. Greater connectivity increases the attack surfaces of these “smart” vehicles. These new threats will affect everyone involved in their construction and maintenance, from equipment manufacturers to dealers, mechanics, and of course drivers and their passengers.
The massive influx of new data that will be generated by connected cars will be the main source of these new vulnerabilities. Mileage tracking software to optimize range, remote diagnostics servicing, and predictive maintenance monitors are only a few examples of the many new smart devices generating constant streams of data from inside connected cars. Outside connections, linking individual cars with larger networks, will also become prolific with new services such as smart vehicle insurance systems that collect driving data to adjust premiums, and traffic flow and parking apps gaining in popularity. These increases in the amount of data generated will create a growing challenge for collectors in securing data across all attack vectors at all times.
Any small object connected to the Internet is exposed to the full force of malicious attacks, ranging from malware to buffer overflow exploits. With something as complex as a smart car carrying 100 or more electronic control units (ECUs), the attack surface is exponentially broadened as each ECU must be secured in some shape or form. As demonstrated by the recent experiment on a Jeep Cherokee, hackers can not only steal valuable data, but can also remotely control the vehicle by commandeering its accelerator, brake, and steering systems. Based on their study of 20 recent models (2014 to 2015) from multiple car manufacturers, the hackers of Jeep Cherokee pointed out that the success of hacking cars depends on three major categories: remote attack surfaces, cyberphysical features, and in-vehicle network architectures. They identified more than seven major categories of remote attack surfaces.
The financial costs of these cyber attacks are also great. Experts estimate that the likely annual cost to the global economy from cybercrime is more than $445 billion, including both the gains to criminals and the costs to companies for recovery and defense. With 90 percent of new vehicles in western Europe scheduled to be connected to the Internet by 2020, there will be a strong incentive for hackers to follow the new market opportunity. The ramifications of automotive cyber attacks go beyond the reputational or financial consequences for car companies as hacked accelerators, for instance, can create life-threatening situations for drivers and their passengers.
Despite the expanding nature of automotive cyber attacks, a number of collaborative approaches of defenses to prevent, detect, and remediate threats can be taken. Hardware-based defense in and around the ECUs, software-based protection, cloud security services, network monitoring, and appropriate data encryption are key layers for smart-car cybersecurity. Comprehensive incident response plans with all stakeholders are a critical element of vehicle cybersecurity as well. Collaboration among manufacturers, drivers, dealers, third-party security vendors, aftermarket service shops, and app stores will be increasingly important for the smooth transition to smarter cars.