Embedded car systems ignite security fears

Developers of embedded devices such as in-vehicle communications systems, need to practice good security habits as users have little room to act, experts urge.

As with any business software or system, creators of technology such as in-vehicle communications systems should observe good security practices to safeguard users against potential risks, according to industry observers.

This is especially important as embedded systems are becoming increasingly ubiquitous, noted Judy Wu, research manager for security research at IDC Asia-Pacific, in an e-mail interview with ZDNet Asia.

"Embedded security will be critical for the many next-generation applications and devices, especially when these applications and devices are applied into specific domains of our everyday life--from automobiles, hospitals to traffic light controls and flight control for passenger jets," Wu said. "When these systems are connected to the Internet, the magnitude of the threat scales and consequences are critical."

Ronnie Ng, Symantec's senior manager of systems engineering for Singapore, pointed out that embedded systems run on operating systems similar to those in PCs and hence, will be exposed to the same security issues, such as vulnerabilities.

"With increased connectivity to the Internet, we have increasingly seen mobile platforms becoming a target and it comes as no surprise that other devices may become at risk," Ng said in an e-mail. "With greater adoption and use of such technologies in consumer devices, attackers may see potential for financial gain in developing malware for such systems."

PCs, for instance, can be infected to become part of a botnet and relay spam, he added. "Attackers can take advantage of embedded systems with Internet connectivity to do the same if these systems are not protected.

"Should users connect to their online bank accounts using the Wi-Fi in their cars, it is another avenue for personal information to be stolen and re-sold on the underground economy," he noted.

An identity with data including name and banking details, can be bought in the underground economy for as little as US$1, Ng said.

Put security in right from the start
According to IDC and Symantec, security should be designed into embedded systems, and not simply included as an afterthought.

Wu said: "The systems or applications should be secure at the time when it is built or coded. The basic rules for security--prevention, detection and response--should also apply.

"Gradually, the various technologies for system security, be it cryptography, wireless network security, strong password, advanced authentication, intrusion prevention [or] vulnerability assessment, will all need to be designed and configured in a way to address these industry-specific applications," she added.

Ng noted that in the case of in-vehicle systems, users are typically not allowed to install third-party or after-market software, so there is a dependency on car manufacturers to make sure the systems are secured and safe for use.

Automakers, therefore, ought to ensure systems are secure by working with leading security vendors, as well as including antivirus, application-centric firewall and intrusion protection capabilities to protect against increasingly sophisticated malware, he said.

Ford Motor Company is one car manufacturer that has taken this path.

Earlier this month, the U.S. automaker announced new security features in its next-generation in-vehicle communications system Sync, including firewalls, antivirus technology, secure Wi-Fi using WPA2 (Wi-Fi Protected Access 2), and password access.

Sync, which runs on Windows CE, allows car users to pair mobile phones to the system, play audio from media players and obtain traffic or navigation information. It was jointly developed by Ford and Microsoft.

A Ford spokesperson told ZDNet Asia in an e-mail that the company is not aware of any prior security compromise in such in-vehicle systems.

A spokesperson at Kia Motors said the company was unable to comment on Wi-Fi-enabled systems as they are not currently available in Kia vehicles. He added that the company utilizes Bluetooth, and abide by the same privacy rules laid down by the Bluetooth Special Interest Group.