Steps carmakers need to make to secure connected car data

We are steadily moving toward a future where connected cars are becoming the norm. This is in large part thanks to the huge increase in consumer demand that has been fuelled by the convenience that IoT-connected vehicles can offer.

This consumer demand makes sense when we consider the far-reaching benefits of driving or owning connected vehicles. Here are just a few of them:

  • A connected car enhances the experience of owning or using a car due to the vast array of connected car apps and services which blend seamlessly with the smartphone applications the user has. The connected vehicle naturally leads on from these, creating more consistent experiences that connect flawlessly with the rest of the user’s daily interactions.
  • The safety of passengers and driver is increased and hazards are more easily avoided.
  • The driver has more control over the vehicle as well as its remote diagnostics.
  • Many routine tasks like parking can be automatized or part-automatized.
  • There are also numerous financial advantages to driving a connected car. Potential problems with the vehicle can be detected much earlier and money on fuel can be saved when the most efficient route is always taken.

Consumer fears

However, although the global connected car market is expected to exceed $219 billion by 2025, the industry is still experiencing setbacks in its quest to go fully mainstream due its one major disadvantage: consumer fears of cyberattacks.

We are all aware that an increase in connected devices, whether vehicles or other devices, automatically increases the number of entry points and opportunities for criminals. Considering the often very serious consequences of such attacks, this consumer fear is a legitimate one that needs to be addressed by both the IoT industry and, crucially, manufacturers of connected vehicles (OEMs) if the industry is going to succeed in achieving full consumer trust and adoption of its products and keep their data safe.

Current security status

As we have seen in recent months, steps have been made to set norms for data security in other areas of data exchange. For example, the GDPR has made a significant difference to how we experience web browsing and newsletters, indeed any interaction that involves the processing of personal data. However, currently, providers of IoT services are not required to conform to any additional security laws or standards. While some are calling for government legislation, there are already a number of companies working on solutions to tighten up the security of connected devices.

It’s still not clear exactly what the impact will be on our personal privacy when embarking on this connected future. What is clear, though, is that if car manufacturers themselves don’t step in with some clear technologies to prevent data hacking, mismanagement or privacy breaches, the connected car industry will continue to struggle to be accepted by the mainstream public.

So what are the carmakers themselves currently doing? And what are lawmakers already legislating for? Crucially, what else needs to be done order to reassure users that their data is secure?

Current legal protection for users

In 2017, the Safely Ensuring Lives Future Development and Research in Vehicle Development Act was passed in the United States. This act requires carmakers to each develop their own cybersecurity plan to regulate access to automated driving systems.

Also in 2017, the U.S. Department of Transportation and the National Highway Traffic Safety Administration (NHTSA) released new federal guidance for automated vehicles, “Automated Driving Systems 2.0: A Vision for Safety,” which encourages best practices and puts safety at the top of the priority list. Unfortunately, the guidance does not address data privacy specifically, but it does recommend the “development of systems that guard against cyberattacks and protect consumer privacy,” which goes some way toward that.

Although not strictly a legal protection, the Auto-ISAC set up by the U.S. government back in 2015 does seek to gather and disseminate information about cybersecurity risks facing connected vehicles around the world. This community of industry experts and academics shares relevant security information for the auto industry, enhancing the ability of the automotive industry to prepare for and respond to security threats, vulnerabilities and incidents so that connected vehicle ecosystem stakeholders can best manage their business risks.

Documents to note:

  • “Automotive Cybersecurity Best Practices” launched in July 2016 by Auto-ISAC as an expansion to the “Framework for Automotive Cybersecurity Best Practices” published in January 2016 by the Alliance of Automobile Manufacturers and the Association of Global Automakers.
  • “Cybersecurity Best Practices for Modern Vehicles” published in October 2016 by the U.S. Department of Transportation’s NHTSA.

What can automakers do to secure connected car data?

1. Investment in hardware security
Typically the vehicles we are most used to seeing and driving everyday have not been fitted with any kind of hardware security within the electronics of the car itself. This is because the car was never originally intended to have an open system that could be connected to outside systems like IoT devices. Instead, the system of the car would have been intended to be a closed system.

Because of this, as soon as you connect the vehicle to something external, there are not sufficient protections (e.g., a firewall) in place against malicious parties. This is resolved in new cars by installing something called a secure gateway.

What is a secure gateway?

As described here, a secure gateway works as follows:

“The gateway and in-vehicle networking (IVN) connect the different domains in the vehicle. The gateway serves as a central hub, connecting while offering isolation between the different networks. It filters which nodes can legitimately communicate with other nodes and the external networks in the connectivity domain to offer security to the connected car.

The gateway is capable of processing large amounts of data required for the autonomous and connected car and converting different automotive communication protocols. It is capable of securely enabling software over-the-air updates for the electronic control units to enable new features that improve the driver and passenger experience.”

For IoT devices, no interaction could happen with the vehicle without first passing the secure gateway, making the exchange of data between two parties significantly more secure.

2. Investment in software security
With cybersecurity incidents continuing to rise, carmakers need to incorporate a cybersecurity approach that takes into account not only obvious exposures in their car’s software, but also the hidden vulnerabilities that could be introduced by open source software components.

Connected car software code is extremely complex to say the least, with the average car software based on around 100 million lines of code. With so much complexity comes many opportunities for vulnerabilities and an increased risk of malicious attacks from cybercriminals. It’s not unusual these days to hear of malware that is specifically developed to target flaws in car software.

Currently, numerous big-name carmakers and their software suppliers deploy testing tools, such as static and dynamic application security testing (SAST and DAST) tools, to identify coding errors that may result in software vulnerabilities and opportunities for hackers and criminals to enable or disable certain features remotely. While these tools are effective in spotting bugs in code written by the carmakers’ own internal team of developers, they are not effective in identifying open source vulnerabilities in third-party code, leaving many major components of today’s applications exposed due to their being made by developers working for external IoT vendors and not the carmakers themselves.

3. User awareness and consent
In addition to securing the car hardware and in-vehicle software, it’s important to emphasize the carmakers’ responsibility in alerting users to the importance of which devices they allow to connect to their car and for what purpose. This is where user consent needs to be sought and GDPR regulations stringently applied. Third party IoT vendors must clearly define why their want to interact with the car and what they plan to do with any data that they get from the car, but it’s the job of the OEMs to reassure users of their data security.

The future success of connected cars will depend largely on how OEMs approach customer data, how they handle users’ privacy concerns and, in turn, conform to GDPR regulations. In 2015, it was reported that 44% of all Americans were “very concerned” about the possibility of their information getting stolen from their smart home, and 27% were “somewhat concerned.” Despite strides made via the compulsory implementation of GDPR in early 2018, consumers still need to be reassured that their data will be safe, confidential and not at risk of being sold on before they confidently purchase connected cars. Even if the technology is ready, without general public acceptance the industry will go nowhere.

For each OEM, the implementation of a strong privacy strategy will be key to its success in the connected car industry itself, but also to secure and reassure its customer base.

Other points for OEMs to consider regarding data privacy:

  • Carmakers need to be fast on their feet; privacy regulations are evolving rapidly, as are mindsets and attitudes toward the abuse of misuse of personal data.
  • Consent should be an affirmative action from the user (as opposed to a passive one) and should be able to be withdrawn by the user at any time. It will be important that businesses can prove, if and when required, that consent was given, as well as proving that such consent was honestly and legitimately obtained.
  • Privacy in the design — user privacy should be a major, if not the major, consideration for OEMs at every stage in the car’s design, development and manufacture.

Conclusion: A security-first approach

As we look to our increasingly connected future, we can be certain that although the relationship between vehicles and IoT is only likely to increase in complexity, with a considerate approach to privacy and data security, any risks of cyberattacks or data misuse can be significantly mitigated. The IoT industry is growing at an exponential rate right now, and traditional car companies need to take a security-first approach in order to take advantage of the huge advances technology can make to the lives of drivers and road users via connected vehicles.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.

Data Center
Data Management