The auto industry reached an important milestone in 2020: more than half of the cars sold globally included internet connectivity as a standard feature. Modern vehicles have started to resemble mobile supercomputers, with each one containing millions of lines of code and able to process vast amounts of data. They’ve also begun integrating with mobile devices and apps. Ford is the latest automaker to announce that it will use Google Android to drive its connected systems.
The automotive industry is doubling down on data to improve the driving experience and monetize the insights. But this hyperconnectivity comes with significant risks. Earlier this year, two researchers showed how a Tesla — and possibly other cars — can be hacked remotely, without any user interaction, with a drone.
The biggest implied security threats for the automotive industry are:
- Car theft
- User information extracted via data breaches
- Remote manipulation or control of car performance that threatens the physical safety of drivers, passengers, and others on the road
With that in mind, we wanted to explore some of the biggest security challenges facing automotive manufacturers in the foreseeable future.
Supply Chain Risk
Hackers are turning their attention to connected cars. They have multiple entry points so there are several ways to profit from attacks. Since 2016, cyberattacks on connected vehicles have risen by nearly 100% annually. This reveals significant issues in securing the supply chain of the connected-car components and the vehicles’ apps.
Theft of Connected Cars
One of the goals for driving better technology into cars is to make them more convenient and more secure against theft. An example is a move from physical keys to key fobs that use a short-range radio transmitter. Yet today, all it takes is a pair of $11 radio gadgets to hack key fobs and steal the car. Remote-start is another feature that has become increasingly abused by car thieves.
The hacking of connected car security systems and the availability of cheap theft devices, even ones made using old Nintendo Game Boys, means that thieves can access nearly any connected car they want.
With large processors and multiple data receptors, connected vehicles have the potential to collect more personal information about their users than nearly any other connected device. Former Intel CEO, Brian Krzanich, predicted that vehicle connectivity would create a flood of data, with each car creating 40 terabytes of data for every eight hours spent driving.
Unfortunately, with seven different modes of connectivity and information stored in unsecured repositories, this data is highly vulnerable to theft. A Washington Post investigation, for example, revealed how much personal data could be extracted from the second-hand infotainment computer from a Chevy. With more and more models shipped with 4G or 5G connectivity, hackers don’t even require physical access to a vehicle to infiltrate it and extract private information.
Cars Performing Unwanted Actions
The dystopian possibility of bad actors accessing a vehicle and taking control away from the driver has moved from action movies to the real world. One of the most famous examples of this was researchers hacking into and knocking out the transmission on a Jeep Cherokee while it did 70 mph on the highway. This ultimately led to Chrysler recalling 1.4 million vehicles.
The remote takeover of system functions is a prominent worry for autonomous vehicles. Researchers have shown how the advanced driving assistance systems (ADAS) on a Tesla Model X could be fooled into swerving into oncoming traffic. Other research has shown how autonomous vehicles could shut down New York if they were hacked and turned off in traffic. For connected vehicles to reach their full potential, automakers need to convince regulators and customers that they are truly safe and secure.
Connected Car Apps
Mobile apps replacing key fobs is the next significant advancement that we are starting to witness. Today, these apps can carry out simple functions like unlocking the car, to advanced actions like self-parking or summoning that car. All of these features require sensitive information to be stored and communicated from within the app. So securing data at rest and in motion becomes critical to earning customer trust.
For this to happen, application developers need to make connected car cybersecurity a top priority. But that isn’t as easy as it sounds. Maintaining a large enough in-house security team to keep application security at the level needed might not always be a viable option for automotive manufacturers. Applications are already the third most popular attack vector used to infiltrate connected cars. With thefts growing, car apps are likely to become even bigger and lucrative targets.
The Road Ahead: Better Security for Modern, Connected Cars
Bolstering connected car cybersecurity and keeping associated automotive applications safe from hacking requires multiple techniques to block and frustrate hackers’ efforts. Here is a simple recommendation for where to start:
- Use advanced code obfuscation and anti-tampering capabilities. These together shield the application from hackers performing static and dynamic analysis once they have the app.
- Add capabilities such as run-time self-protection (RASP) and anti-malware protection that allow apps to defend themselves when running on end-user devices whose health is unknown.
- Use white-box cryptography to protect all the cryptographic keys used to secure storage, communication, and access.
Zimperium’s Mobile Application Protection Suite (MAPS) helps automobile manufacturers keep data safe and their vehicles secure, allowing them to fully capitalize on advanced technologies and build differentiated products.
MAPS is comprised of four capabilities, each of which addresses a specific need when it comes to securing the entire application lifecycle:
- zShield | Application Shielding – Protects the source code, intellectual property (IP), and data from potential attacks like reverse engineering and code tampering
- zKeyBox | White-box Crypto Protection – Protects your secrets and keys so they cannot be discovered, extracted, or manipulated
- zScan | Application Security Testing (AST) – Helps your mobile app development organization discover and fix compliance, privacy, and security issues within the development process before you publicly release your apps
- zDefend | Runtime Application Self-Protection (RASP) – Helps detect and defend against run-time exploitation and abuse from device, network, phishing, and malware
Learn more about our Mobile Application Protection Suite here.
Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against the device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us today.
The post Your new car may be safer and smarter, but is it cyber-secure? appeared first on Zimperium Mobile Security Blog.