The Cloud Security Alliance is taking a close look at connected car security and how it unfolds in the future, covering everything from design to possible ways attackers can take control.
The CSA released its first research report on the topic this month, titled Observations and Recommendations on Connected Vehicle Security, provides in-depth details about vehicle security connectivity design, possible attack vectors of concern and recommendations about how to better secure the environment.
The ultimate goal is to create a vehicle security design that can be flexible in adapting to future challenges and cognisant of unanticipated threats that disruptive technologies they bring.
“In the near future, connected vehicles will operate in a complex ecosystem that connecting vehicles not only with each other and the traffic infrastructure, but also with new forms of connectivity and relationships to cloud-based services, smart homes, and even smart cites,” comments Brian Russell, chair of the CSA IoT Working Group.
He believes that for a secure and safe system, policies, designs and operations that incorporate security must be implemented in the development stages.
Preventing systems from possible attack vectors must also be front of mind - the report proposed 20 different attack vectors and what could happen in each case.
Those attack vectors include monitoring the vehicle's messaging traffic, which could result in unauthorised tracking, reverse engineering firmware to hijack the safety-critical operations, and infecting it with malware to disable the vehicle entirely.
The report cites cases in which Fiat Chrysler recalled 1.4 million cars and trucks after hackers were able to remotely disrupt a Jeep Cherokee. In another attack, researchers managed to control a Tesla Model S car and turn it off at low speed. Tesla has fixed the issue.
“There are a number of motivations for bad actors to compromise connected vehicle components and technologies, ranging from curious hackers attempting to demonstrate weaknesses, to malicious entities attempting to cause harm, on both small and large scales,” explains John Yeoh, senior research analyst at the CSA.
“Only through the thoughtful use of disruptive technologies such as big data, machine learning and artificial intelligence can we help build a better, safer and more secure connected vehicle ecosystem.”
Even older cars that are being fitted with connected devices are not immune. Security researchers have been able to gain access to sensitive functions through direct or remote access, including USB, diagnostics, Bluetooth, wi-fi and infotainment consoles.
The report provides a number of recommendations, including strong boundary defence, interface filtering, securing update processes, aftermarket protection, data integrity, privacy protection, malware defence and continued R&D.