How automakers shield your car's electronics from hackers
As cars become more connected, automakers have taken strides to protect their electronics. But cybersecurity is fast becoming a real threat.
The connected car has been a hot topic on Capitol Hill lately. With issues such as distracted driving to autonomous cars facing them, federal lawmakers and regulators are considering the profound changes and issues that connectivity may bring to the cockpit.
Now the Senate and National Highway Traffic Safety Administration have set their sights on another connected car issue, one that has also plagued other parts of our online society: cybersecurity.
NHTSA Administrator David Strickland said at a recent Senate Commerce Committee hearing that his agency doesn’t “want to be behind the eight ball” in terms of car security.
While Strickland and the members of the Senate's Commerce Committee realize the benefits of connected cars -- including NHTSA's own connected car field trial in Ann Arbor, Mich., to study how vehicle-to-vehicle (V2V) communication can be used to prevent accidents -- they’re also concerned about potential hazards.
“These interconnected electronics systems are creating opportunities to improve vehicle safety and reliability,” Strickland said, “but are also creating new and different safety and cybersecurity risks.”
Committee Chairman Sen. Jay Rockefeller (D-W. Va) said that while he’s excited about the safety benefits of the technology, he’s also worried about connected car hacking.
“As our cars become more connected -- to the Internet, to wireless networks, with each other, and with our infrastructure -- are they at risk of catastrophic cyberattacks?” he said.
While sensational headlines occasionally pop up claiming that this risk is imminent, there's been only one report of a malicious car hacking incident: A former disgruntled auto dealership employee used his hacking skills to disable vehicles equipped with a device that prevents the engine from starting and honks the horn if car payments aren't met. But a group of university researchers has shown that compromising a car’s electronics is possible -- and that it’s relatively easy.
And while automakers are struggling to keep up with the rest of the tech world, they’re starting to address hacking and other security concerns.
Ford builds security solutions into vehicles from the outset of production. Engineers use “threat modeling” to review potential attacks and security issues, then design controls to fix them.
“We document the information flows, control boundaries and other elements to determine where we may have issues with things like data integrity, information disclosure, denial of service, escalation of privilege, tampering or spoofing, etc., and then determine one or more mitigation strategies to address the concerns,” the company told MSN Autos.
Ford added that its vehicle hardware has built-in firewall and application “white-listing” functions to separate vehicle control systems from infotainment functions. The automaker also uses Public/Private key cryptography solutions to prevent unauthorized updates to its Sync system's software, and software updates have to be “code-signed” and recognized as coming from Ford in order to update Sync.
Honda has been conducting research on vehicle-to-vehicle communication systems for the past six years and is aware of the security challenges that accompany the benefits of the technology. Honda engineers told us they're working closely with other automakers and the Department of Transportation to create “a secure, stable and inter-operable system” for connected cars.
“As an industry, we have yet to come to a full agreement upon single solution,” Honda said, “but we have made tremendous progress.”
Help is also coming from outside the industry. Battelle, the self-described world’s largest nonprofit R&D organization, took a novel approach to confront car-hacking last summer by hosting a camp for students to solve car-security challenges. For its first-annual CyberAuto Challenge, Battelle invited 20 handpicked high school and college students to work for a week alongside two dozen automotive engineers, IT researchers and government and Department of Defense officials to collectively hack away the issue.
“One of the critical aspects is connecting people and organizations,” Karl Heimer, senior research director of Battelle’s Cyber Innovation Unit, told Wired. “We reached out to the auto industry and government and told them why it’s important to develop the sort of engineers we’re going to need in two, three, five, or 10 years.”
Luke O’Malley, a junior at MIT majoring in electrical engineering and computer science, was one of the Battelle boot campers. “My biggest takeaway was, before the event, I saw a car as a car – a piece of machinery you drive around,” he said. “After the event, I see it more as a mobile computer that has potential security vulnerabilities.”
Now that car cybersecurity has caught the attention of Capitol Hill, expect to see more scrutiny and action on the issue. “If there is a chance of it happening, we have to address it,” Strickland said after leaving the Senate Commerce Committee hearing.
But he acknowledged that the agency and automakers have a tough road ahead in containing these threats. “Cybersecurity is hard,” he warned. “Even the best systems in the world can be compromised, as we have seen.”
Doug Newcomb has been covering car technology for more than 20 years for outlets ranging from Rolling Stone to Edmunds.com. In 2008, he published his first book, "Car Audio for Dummies" (Wiley). He lives and drives in Hood River, Ore., with his wife and two kids, who share his passion for cars and car technology, especially driving and listening to music.
No comments:
Post a Comment