Tech

Three top tips to keep connected cars safe from hackers

As auto manufacturing dips a toe into the computing realm, how can consumers be protected?

Written by Charlie Osborne, Contributing Writer Aug. 6, 2015 at 3:33 a.m. PT

There are three principles automakers must implement immediately if they are going to keep their vehicles and customers safe from the rising threat of cyberattack.

This week at Def Con, CTO of Lookout Kevin Mahaffey and Cloudflare's Principal Security Researcher Marc Rogers plan to reveal the results of research into Tesla vehicle security.

Outlining their thoughts in a blog post on Thursday, the team says they assisted the automaker in fixing a number of vulnerabilities through a software-first approach, patch process and system isolation between drive and entertainment systems.

Six vulnerabilities were discovered within Tesla vehicles through the analysis, and the security researchers were able to gain root access to the Tesla Model S infotainment systems. Once access was granted to these systems, the team were able to remotely lock and unlock the car, control the radio and screens, display any content on the screens -- such as altering the speedometer -- open and close the boot, as well as turn off the car systems.

Featured

When turning off the car systems, Mahaffey and Rogers discovered that they were able to apply the emergency hand brake if the car was idle or traveling at under five miles an hour.

Tesla is just one example of how auto manufacturers need to look beyond chassis design and entertainment features to stay competitive in the marketplace. Now more than ever, security must become a top priority.

In order to combat the emerging threat of digital threats against vehicles, automakers need to immediately make radical changes. According to Mahaffey and Rogers, there are three top priorities automakers need to consider, as listed below:

1. Set up an over-the-air update system: As the case of Fiat Chrysler's security flaw represents, where updates to fix a security issue must take place over mailed USB sticks or driving into a dealership, if you integrate networked computer systems into vehicles which may contain software vulnerabilities, you must also include a way for them to be fixed wirelessly to promote efficient security practices. New firmware needs to be pushed out to keep customers safe from software exploits, and this requires cars to have a mobile network connection free of charge.

2. Have strong separation between drive and non-drive systems: According to the researchers, manufacturers must separate infotainment systems and the critical drive systems in order to place a tight lid on communication between both systems. In this manner, vulnerabilities in one system cannot necessarily touch the other -- and if gateways exist, they must be heavily secured.

3. Secure every individual component in your system to limit the damage from any successful penetration: A systems's security is only as good as its weakest link. Therefore, if an attacker gains access to one part, they may be able to infiltrate others. To prevent this happening in the first place, automakers need to make systems difficult to access to stop a "daisy chain" infiltration pattern occurring.

The researchers say:

"While the state of automobile cybersecurity would be substantially improved if all manufacturers implemented these best practices, they are just a start.
It takes years for a company to develop a strong cybersecurity culture, and even with a strong internal cybersecurity team, that team must be supported by and integrated into the organization as a whole. Further, companies with experienced security teams look not just inside the company for support, but outside to the global community of security researchers identifying problems."

This week, news surfaced that Fiat Chrysler did not inform US regulators of a severe software flaw in Uconnect-equipped vehicles which could allow attackers to remotely control cars. Fiat Chrysler has recalled 1.4 million vehicles which may be vulnerable to the vulnerability -- on a voluntary basis -- and has issued software updates to combat the problem.