Hacking IoT devices and smart objects is always making headlines. After all, we use these devices to simplify our lives – so having their processes interrupted, hijacked or used against us is a real nightmare. However, hacking a thermostat is one thing; hacking a car is another.
At this year’s Black Hat in Las Vegas, experts once again showed that the Jeep Cherokee is vulnerable to the whims of cyber-crims. Researchers sent false messages to the car’s internal networks, overriding the legitimate ones. They could then steer, brake and speed up the vehicle. It was the same researchers, Charlie Miller and Chris Valasek, who infamously hacked a Jeep whilst on the highway just over a year ago.
Speaking to IT Security guru, Brian Spector, CEO at MIRACL, said that “The Jeep hacks demonstrate the serious problem of verifying the identities of people using the connected devices within today’s cars. Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today. Move forwards to the increasing trend for driverless cars, and the potential fallout from this lack of authentication becomes even more frightening.”
But in terms of preventing this from happening in future, what can carmakers do? Spector told us that “For connected cars to become more secure, relationships must be established within the components of a vehicle, to ensure that only a legitimate operator can control the connected devices within a car. If a hacker then tried to take control of one of the on-board systems, their identity would not be verified and access would be denied. The current security checks often fail because they rely on slow, centralised identity verification services. To connect the components more quickly and autonomously, manufacturers should deploy a distributed trust model which allows for fast pre-authorisation, and removes the roadblock of a centralised service.”
But are car manufacturers taking cyber security seriously enough?
Richard Kirk, Senior Vice President at AlienVault told us that “There is no evidence that car manufacturers are taking cyber security seriously. One has to assume that given the recent high profile car hacks, the manufacturers have changed the way that they approach security, however this is not being publicised. Perhaps they should be boasting about their work as no doubt savvy customers will soon start asking questions.”
So it appears consumers are going to have to start getting serious about security or face all manner of cyber-risks. This isn’t a shift that happens overnight, so there need to be things car owners can start to do now to help start the good habits of personal security and such that’ll prevent them falling victims to such a hack.
Kirk advised us that “Car owners should apply the same rules that they follow, or should be following, for their computers and smartphones. Use hard to guess passwords, do not share passwords and do not give anyone access to your car app or portal account. There is not much they can do otherwise since the car manufacturers control the car systems. For the example, unlike a PC or laptop, you cannot install a firewall in your car, although ironically cars do have physical firewalls between the engine and the passenger compartment, to literally protect the passenger against an engine fire.”
So if this happens again, where will responsibility and liability ultimately fall on for cyber-attacks to cars, especially when another car is involved? Is it a problem for the car company, the insurer, or the driver themselves?
Kirk told us that “This will depend on the country and legal jurisdiction, as well as the contractual terms of both the car purchase and insurance. It will probably take some time for cyber incidents to be challenged in court before clear lines of responsibility become clear. If insurance companies take the initiative and start including cyber cover in their policies, they could benefit from being seen to protect drivers, however cyber insurance is not a well understood business.”