Adrian Davis, Managing Director, EMEA at (ISC)² explains how we can stop the ongoing proliferation of vulnerabilities in connected cars
It’s clear that we are rapidly moving towards turning cars into rolling internet browsers, connecting to everything from traffic lights to household appliances. Future vehicles will get remote updates on traffic jams or weather, automatically alert emergency services to accidents as they happen, allow drivers to get over-the-air ‘upgrades’ without visiting a dealership and even warm up their kettles from their cars. Software updates can now give cars self-driving features, turn them into rolling Wi-Fi hotspots or even allow them to interact with traffic lights.
All of these features mean that cars are becoming mobile data hotspots, receiving and sending information that can be exploited by automotive firms to sell or create more people-centric products or services. This data can also be sold to other companies to target location-based advertising at drivers, or help insurance companies set their rates. It is predicted that connected cars will soon send up to 25 gigabytes of data to the cloud every hour.
Yet all the indications are that cybersecurity has failed to keep pace with increasing automotive connectivity. This was starkly illustrated earlier this year when a team of hackers remotely took control of a Tesla from 12 miles away. Many basic software vulnerabilities have been found in cars, including a failure to apply basic encryption to remote car-locking.
The problem is that manufacturers are treating cybersecurity as an afterthought to the design process, with flaws only being found and fixed after the car is already on the road. This ‘fire brigade approach’ to cybersecurity was exemplified by Fiat Chrysler’s recall of 1.4 million vehicles after security researchers exposed a software flaw which should have been found at the design stage. It is as if car manufacturers were to build cars and forget to put door locks on them until someone managed to break into the vehicle.
This problem extends far beyond the automotive industry; (ISC)² has found that software applications are often not scanned for vulnerabilities during software development. This means that application vulnerabilities still top the list of security concerns among information security professionals worldwide.
The current automotive design model sees software developers and security researchers as two separate silos of expertise that rarely meet. This produces a disjointed approach to security, leading to panicked vehicle recalls and emergency software updates.
We need to see security as a core aspect of the automotive software development profession, just as vehicle safety is a central aspect of the automotive engineering profession. Car companies should be building cybersecurity into every piece of software from the beginning, just as they incorporate car locks, airbags and seatbelts into the car at the design stage.
Instead of the software developers outsourcing the task of cybersecurity to security researchers, security should become a core part of coding, integral to every part of the software development lifecycle.
This will require a change in the way that coding is taught, with cybersecurity turned into a core component of all school, college and degree courses in computing and software development. The UK is pioneering this approach.
BCS – The Chartered Institute for IT, which accredits most University computing courses in Britain, recently incorporated cybersecurity guidelines and learning outcomes in its official accreditation criteria for its computing degrees for the first time. This means that cybersecurity will no longer be taught as a stand-alone subject, but will soon be part of every computing degree. Everyone from software engineers to game developers will have a common base of cybersecurity knowledge. The first General Certificate of Secondary Education (GCSE) questions on cybersecurity were recently launched, and schools have also been receiving cybersecurity lesson packs as part of school computing classes. Meanwhile, the UK Engineering Council now includes cybersecurity in its UK-SPEC competence requirements for engineering professionals.
But there cannot simply be a supply-side solution to this. The automotive industry needs to further incentivise the new approach by including cybersecurity as one of the key criteria in their hiring checklists for coders. Cybersecurity knowledge needs to be considered a requirement for entry-level software developers, just as we would expect all automotive engineers to understand safety features and requirements. The only way to ensure the safety and security of all road-users in the age of connected cars is to is ensure all future software is designed with an electronic version of locks and seatbelts.