Automakers are addressing cyber security in the new models (Photo: Symantec)
Security software maker Symantec last month issued a report on the vulnerability of connected cars. The conclusion: There are ways to protect cars from hacking and other cyber attacks. But today's generation of vehicles, which doesn't yet have robust connectivity on board, is a clear target for cyber attacks.
Cyber security has been in the spotlight in recent months as some of best known car brands became the targets of digital attacks. Fiat Chrysler, General Motors and Tesla all had to address vulnerabilitiesÂ in theirÂ Â connected-car systems.
The cyber attacks were all committed by IT security experts intent on proving the vulnerability of today's connected vehicles, but the success of the attacks showed that automakers have some work today to protect their vehicles.
Today's car is "moderately secure," said Sandro Gayken, a cyber security expert at theÂ European School of Management and Technology in Berlin. In answer to written questions, Gayken said today's cars are secured the same way office IT is safeguarded, which leaves much to be desired.
The problem is aggravated by the fact that the proper functioning of many automotive systems can mean the difference between life and death. "I can probably live with the entertainment system shutting down, but it's a different story when we're talking about airbags, brakes, or acceleration," Gayken said.
Experts agree that the IT security of today's cars needs to be improved. Thomas Hemker, security strategist at Symantec, said the state of automotive security doesn't inspire confidence. But he said the car industry is addressing the issue. "If you look at the new technologies entering the car, there's more reason for optimism because developers are firmly anchoring the security aspects into the car from the start."
Gayken agreed that IT security must be built into connected cars from the start and it must provide a high level of security. "Firewalls and M2M encryption only have limited functionality in this environment and they are cumbersome," he said. "On the other hand, embedded IT, which cannot immediately be attacked, is much more scalable and more economical."
FOURÂ QUESTIONS FOR THOMAS HEMKER:
Mr. Hemker, the Symantec report paints a decidedly dismal picture of the digital security of today's connected cars. Is that the correct conclusion?
Hemker: If you look at the state of technology so far, you can be pessimistic, but if you look at the new technologies entering the car, there's more reason for optimism because developers are firmly anchoring the security aspects into the car from the start.
Why is it more difficult to safeguard cars against cyber attacks than it is to protect other internet-of-things devices?
Hemker: It's complicated because the car is an interface between the virtual, technical world, and the physical world, in which people can actually be in danger. Also, the car is not just one device; it's many devices. Many technologies don't work in the car. Take authentication; It has to function in real time, because you cannot have a delay in, for example, a braking action.
What conclusions do you draw from the recent spate of successful car hacks?
Hemker: These hacks are not trivial, especially when attackers use the GSM interface. But they are also not rocket science either. Still, the broad mass of attackers cannot easily reproduce these hacks. Clearly 100 pc security doesn't exist, but our goal is to anticipate specific issues that can arise and help build robust systems that can withstand attacks, even if we don't know yet what exactly these will look like.
Where does cybersecurity sit on automakers' priority lists?
Hemker: Especially following the US hacks, where attackers took over a car through the wireless interface, the automakers have a new awareness of the risks. That's why they are now planning authentication systems and other security mechanisms. It's a positive development.
FOUR QUESTIONS FOR SANDRO GAYCKEN:
Mr Gayken, we’ve seen many hacking attacks on cars in recent weeks. How safe is the connected car?
Gayken: Connected cars are moderately safe. The IT systems in general aren't particularly robust. They are secured with the same or even with fewer security technologies than office IT. In cars, it's obviously important how safety-critical invididual areas are. I can probably live with the entertainment system shutting down, but it's a different story when we're talking about airbags, brakes, or acceleration.
Who will profit from IT attacks on networked cars?
At first view, cars don't seem to be especially attractive targets. There's no immediate return on investment. If attacks are used for blackmail, the dangers for the victims are very high and the blackmailed companies are very big. Criminals don't like that because there is big escalation potential and criminal prosecution is highly likely.
Still, the risks are real, aren't they?
Yes, there are other business models. For example, auto hacks could be used to trigger precisely planned recalls. That makes stock market manipulation an attractive possibility. Such action would be taken by profesional criminal organizations that are willing to accept high risks.
What can carmakers and drivers do to protect their cars?
Car drivers can't do anything, but carmakers can do a lot. IT security has to be fundamentally conceived as part of the smart car. High-security IT approaches have to be realized. Firewalls and M2M encryption only have limited functionality in this environment and they are cumbersome. On the other hand, embedded IT, which cannot immediately be attacked, is much more scalable and more economical."
-By Arjen Bongard, Pascal Nagel and Yannick Polchow