Three Approaches to IoT Security: Part Three

This article, the third in our three-part series, looks at how one connected-car accessory maker approaches data security, and at how carmakers can take the lead of tech companies by learning from the hacker community.
By Mary Catherine O'Connor

The Car's Place in the IoT
What makes the auto market special—and vexing, from the point of view of securing IoT-connected cars—is that it sits "right at the nexus between consumer products and something that needs life-protecting levels of security," says Hoffenberg. "There are 100 million vehicle sold each year. That is very high number compared to airplanes or military equipment, or other things that must be built with really high [data] security."

Automakers have been developing and building connectivity into automobiles for many years, and Hoffenberg notes that many car models being driven off sales lots today have built-in Internet connectivity. Some vehicles support firmware updates or vulnerabilities patches made over-the-air, but many cars on the road today contain cellular modems that do not support over-the-air updates. Owners of these vehicles must either bring them into a dealership for the updates, or they must download the update onto a USB stick and perform the update manually.

The latter options are the ones that Chrysler presented Jeep owners last month, following the hacks that security researchers Charlie Miller and Chris Valasek were able to perform on the car once they were able send remote commands, through the vehicle's Internet-connected infotainment system, that could actually disable the vehicle while it is moving at highway speeds, or give them control of the vehicle's steering. However, a few days after Wired magazine published a story about the Jeep hack, Sprint made updates to its cellular network that block the vulnerability which Miller and Valasek publicized in their research paper. This means that even for vehicles that are not updated via the software patch that Chrysler issued, other hackers are now blocked from exploiting the vulnerability Miller and Valasek discovered (the hacker can still try accessing the car's Wi-Fi radio to perform the exploits, but to do that they would need to be close the vehicle).

While instances of hacking into connected cars draws a great deal of media attention, they have thus far been instigated by security researchers who want to see carmakers take cyber security more seriously, and none of the hacks have been exactly easy, Hoffenberg notes.

Steve Hoffenberg
"Most exploits published thus far required extensive research over long time periods by knowledgeable people who had direct access to the vehicles [that they hacked]. In some cases, they had to reverse engineer components. So while not impossible, they take a lot of time and investment," he says.

Yet, while the Miller and Valasek used a 2014 Jeep Cherokee to reverse-engineer the telematics system and discover the vulnerability, they say once they found the vulnerability, they could have repeated the same attack on any Chrysler vehicle that comes with the Uconnect 8.4AN/RA4 radio manufactured by Harman Kardon (used for the car's infotainment system) on which they conducted the exploit. Based on the number of cars to which Chrysler issued its software update, Miller and Valasek say that number is 1.4 million vehicles, including the Viper, Durango, the Chrysler 200 and others.

Still, while someone could remotely disrupt the operation of a car for malicious reasons—namely to hurt the driver or others—Hoffenberg says it is more likely that nefarious parties are looking for vulnerabilities in connected devices that could lead them to credit card data or other financial information. "The auto market does risk becoming a poster child for IoT's failure [in the consumer realm] if there were to be massive breaches. But thus far that has not happened."

The task automakers face is a daunting one, and will force them to hold their myriad suppliers to set a high standard for data security, so that no single component can create a weak link. "Each supplier has to make sure their component is secure, but when you put a bunch of secure pieces together, you don’t necessarily get a secure whole, says Hoffenberg, "because there [can be security] gaps between the components."

Carmakers are essentially turning cars into rolling, connected, sensor-filled computers, so a good way for them to address the security of the data that these cars are trafficking might be to follow the lead of tech companies. Google and Mozilla incentivize users to seek out weaknesses in their respective products by offering "bug bounties." Through its Bug Bounty Program, Mozilla has paid out $1.6 million to individuals who have brought security vulnerabilities to the organization's attention. Google has also distributed millions through various bug bounty programs over the past five years. Tesla has joined followed. It is offering $25 to $10,000 per bug in its bug bounty program.

Ferguson says Automatic is launching a bug bounty, as well, and hires third-party security analysts to ensure its OBD device remains ahead of the latest security threats. Although the company has not been the victim of a security breach, he says there is never a time to let down the defenses. "Security is not a goal, it's a process," he says.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations