Plug car security holes before self-driving vehicles arrive, industry warned
Car makers need to improve the security of today's connected cars before the arrival of self-driving cars, according to Europe's cyber security agency.
"Over the last few years, there have been many publications on attacks against smart cars, many of which have resulted in reputational damage for car manufacturers. The impact of attacks on a smart car has far-reaching consequences in terms of safety, while the cost of cyber security is becoming an issue for car manufacturers. The risk to the driver, passengers and other users of roads makes it a matter of national and European interest," said the report from Enisa.
Its executive director Udo Helmbrecht said: "We need to bring together all European automotive industry actors to secure smart cars today, for safer autonomous cars tomorrow."
The report warned that while the automotive industry has a long-standing expertise in car safety, many security issues of connected systems in cars and their potential impact on car safety are not yet properly taken into account. It lists a number of potential risks including:
- No in-depth strategy during the design of the system, such as a secure boot process.
- No security- or privacy-by-design, which means more information than is really needed may be exported outside of the car to third parties.
- Lack of communication protection, on internal as well as external interfaces.
- Lack of authentication and authorization, especially for privileged access to vital embedded Electronic Control Units, for example no validation or signing of firmware updates, and updates that happen without server authentication.
- Lack of hardening, for example a lack of data execution prevention or attack mitigation technologies used on firmware, while ECU services are exposed through different entry points, and even unnecessary communication ports are left open.
- Lack of diagnosis / response capabilities.
"Some manufacturers do not perform frequent software updates, thus exposing automotive devices to known vulnerabilities (for instance in software frameworks, such as a SSL library or browser library). Such updates, even if released in due time by manufacturers, are still seldom deployed over-the-air and may require the car owner to use a USB stick for installing the update or to go a car dealership garage," the report said.
One positive note: recent moves by software companies, as well as traditional automotive manufacturers, to develop smart cars may change attitudes towards security, making firms more open to ideas like collaboration with "white hats" or the implementation of bug bounty programs.
Who gets the blame when things go wrong is also an issue, thanks to the interconnected nature of the systems within a car.
"There is no chance to enforce a perfect isolation between driving, debug and infotainment (or connected) systems, which means that vulnerabilities from any actor, including aftermarket components, may allow compromising safety- related features of a vehicle. In this context, there is a need to clarify the liability of each actor in case of a security event," the report warned.
The study suggests the following recommendations, to increase cyber security in smart cars in Europe:
- Improve information sharing amongst industry actors.
- Achieve consensus on technical standards for good practices.
- Clarify cyber security liability among industry actors.