Connected car security: why identity should be in the driving seat
The recent news of the Nissan Leaf API vulnerability is a clear example of why security without identity increases risk, and connected cars are no exception
Short of time?
An increasingly diverse range of connected objects has joined the Internet of Things (IoT) in recent years. Whilst the IoT was once primarily the province of consumer gadgets and wearables, it now includes a growing number of luxury products such as connected cars and smart home systems. Indeed, according to IDATE, 420 million drivers will generate a connectivity market amounting to €9 billion by 2020.
However, with cars increasingly becoming computing platforms rather than simply a means of travelling from A to B, they are also becoming more attractive targets for hackers.
This is backed up by evidence, such as statistics from the French Drivers' Association '40 millions d’automobilistes' which recently revealed that three-quarters of the cars stolen in France in 2014 were electronically hacked. Identity-driven safety will become a necessity and security checks by owners are likely to become very commonplace.
A sector that is rapidly growing but lacking in security
Digital transformation is having a significant impact on all industry sectors, but nowhere more so than the automotive sector. The motor companies of today are likely to look very different in ten years time as they continue evolving from manufacturers to complex service providers.
At the moment, there is a heavy focus on the development of smart automotive technology within the industry. Why? Because having the ability to record and analyse all manner of data generated by a car (distance travelled, speed, braking rate, etc.) means manufacturers can deliver significantly more personalised driving experiences, whilst also collecting valuable product data as a result.
It is estimated that there are currently between 40 and 60 million connected cars throughout the world, each carrying a large number of both smart and constrained devices, which are themselves connected to the Internet. Within the next five years, Gartner predicts the total will increase to over 250 million.
At present, the average security level within these vehicles is equivalent to that of IT systems and computers from between 1980 and 1985, with very limited encryption, data protection or identity management.
Connected cars are still too vulnerable
A growing body of evidence is coming to light that demonstrates the vulnerability of many connected cars on the road today. Just recently, Nissan was forced to suspend the functions of its smart car companion app after researchers found it could be used to access control systems in its Leaf electric cars.
Perhaps more notably, last year two hackers working with WIRED magazine took control of a Jeep Cherokee via its Uconnect infotainment system as it travelled on a motorway at 70mph.
They did this all from the comfort of their living room 10 miles away. Once they had gained access, they were able to control the dashboard functions, steering, transmission and even the brakes.
Thankfully in this instance, the hack took place under controlled circumstances, but it serves as a stark warning of what could have happened if they had been acting with malicious intent.
The resulting impact on Jeep’s parent company Chrysler was disastrous – Chrysler was forced to recall 1.4 million vehicles so that the vulnerability could be addressed.
The heart of the sector's digital transformation: Identity
When people talk about connected cars, identity is becoming a critical element; the identity of the user, of the car itself (or its connectivity system), and of the devices that might connect with a vehicle – such as the smartphone, tablet or digital key dongle.
The major problem at present is that there is no correlation between the identity of the driver and the identities of the smart devices within the car.
In terms of security, this relationship must be established so that only the vehicle’s operator – whose identity is authenticated in advance – can control the various on-board connected devices.
Therefore, if a hacker tried to take control remotely, they would be blocked, as their identity won’t be recognised by the vehicle or its systems. In order to do this, an effective identity management platform must be deployed that can link together all of the relevant identities in the correct context.
In the case of authentication via the driver's identity, the vehicle does not have to be dedicated exclusively to one person. The identity of a vehicle or device can be linked to numerous physical identities of individuals interacting with it.
For instance, it may be linked to the various members of a family, with each person having specific authorisations in terms of the various actions they are allowed to perform.
For example, the car's identity could be linked to the identities of both the driving members of the family and that of a younger member, who would have access to the onboard entertainment system, but no access to any of the controls related to the actual driving of the vehicle. A classic example of identity relationship management at play.
The future is a multi-layered, identity based approach to security
In the future, multi-layered security approaches will almost certainly be used to further protect connected cars from remote hacking. Indeed, various physical authentication methods such as fingerprint and facial recognition are already in testing, working in tandem with onboard identity management systems to increase the security of the whole vehicle.
The choice of security and authentication systems is vast, with more options being added all the time. Manufacturers will no doubt surprise us with many more state-of-the-art features in the future, but the end goal remains the same; protecting the legitimate owner and occupants of the vehicle.
For automotive companies, the connected car is both an exciting and a risky prospect. Trust will be a key factor. Consumers need to have complete trust that the technology is safe and secure before they are willing to put their lives in the hands of the manufacturers.
Clearly, the IoT has a long way to go - use cases such as that of Jeep Cherokee and Nissan Leaf haven’t done the industry any favours. Still, the connected car undoubtedly represents the future of the industry, and the sooner a more robust approach to security is adopted, the sooner we will see consumer trust increase.
Sourced from Simon Moffatt, Director Advanced Customer Engineering, ForgeRock