As automakers rush to market connected cars to feed drivers hungry for collision avoidance systems and self-parking features, security experts are urging the industry to pump its brakes and prioritize the their cars’ cyber defenses.
In a report released Tuesday by IDC and the security firm Veracode, researchers say when it comes to car hacking it’s going to take three years for automakers to catch up with the number of cyber threats targeting cars today.
“Cyber security is top of mind for automakers,” said Chris Wysopal, co-founder, chief technology officer at Veracode, in an interview with Threatpost. “But one of the really interesting things that came out of our survey was car manufacturers actually admitted that it could take up to three years before the connected car systems that they are building – or built – are secure.”
The revelation comes from the report called “Responsibility for vehicle security and driver privacy in the age of the Connected Car”. For the report (PDF), the authors polled 1,072 drivers across the UK and Germany and surveyed seven automakers including Fiat-Chrysler, Delphi, Seat and Scania.
According to the survey, half of drivers said they were “very concerned” about the security of smart car features. Concerns ranged from third-parties taking remote control over car functions such as steering, braking and cruise control functions.
Also troubling, was the influx of third-party apps for infotainment systems such as Apple’s CarPlay and Google’s Android Auto. “Based on our conversations with manufactures, the preference is to keep software that provides driver/vehicle functionality separate from the infotainment systems that encourage downloadable applications,” reads the report.
“If you have a mobile app that can unlock the doors, turn on a heating system or perhaps update the software to your transmission for better performance, that’s where the risks come in,” Wysopal said.
Last week, researcher Troy Hunt discovered insecure APIs allowed remote access to on-board computers of 200,000 Nissan automobiles via a poorly designed smartphone app. Hunt was able to remotely retrieve battery status, GPS log data and control the AC and seat warmers on any car impacted by the app’s flawed API authentication process.
“When you think about the plans to allow customers to download apps for infotainment systems to control different environments the risks is only going to increase,” Wysopal said. “What’s going to happen when something goes wrong?”
Eight-seven percent of drivers polled said car manufacturers should be liable for the safety of the car, including third-party app reliability, manufacturer apps and protection from hackers. “We have answered a lot of these questions in the smartphone world with iOS and Android,” Wysopal said. “But when it comes to automobile safety it gets much trickier.”
“(Car) manufacturers are pragmatic and accept that, from a consumer protection point of view, they retain a high degree of liability, if not with the originating fault or malfunction then at least with the responsibility for resolution and remediation,” according to the survey. However, car makers say it’s imperative that car control systems be separate from infotainment systems to avoid possible third-party tampering.
Privacy was also a major concern among drivers, with 46 percent of drivers saying they were worried about a flood of applications being integrated into a car’s on-board computer systems that collect GPS logs and also retain payment information, SMS messages and business-related email and calendar data. Views on privacy by car makers”are not fully formed,” according the survey.
“What the auto industry is dealing with is a microcosm of what’s happening in financial services and healthcare sector,” Wysopal said. He said, car makers have a responsibility to set privacy rules an act fast when it comes to designing in-car security to protect that data.
Wysopal said, in a world where your GPS logs are captured, how you drive is recorded, where you stop for gas, what you do in your car’s infotainment system, new concerns are raised about where that data will end up and how it will be used.
“We predict a suggested time frame of 1-to-3 years before connected car systems are implemented with full consideration to cybersecurity concerns,” the survey concluded.
According to Wysopal, here in the U.S., there are a number of regulatory initiatives that hope to ensure manufacturers adhere to standards and drivers are protected. But, he said, just as car manufacturers are struggling to keep up with connected car security, the legal landscape is struggling to keep up as well.
One proposed piece of legislation is called the Security and Privacy in Your Car Act (or SPY Car Act). The legislation directs the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal security and privacy standards for connected cars and creates an Automotive Cybersecurity Advisory Council to develop cyber security best practices.