AI Online

Ai INNOVATION, SINCE 1895

Every sensor increases the vehicle's attack surface, which is where a hacker looks to find a vulnerability.

The connected car has rapidly moved from the realms of sci-fi to reality over the recent years. Smart phones and other Wi-Fi, Bluetooth-enabled devices are being synced with in-car infotainment systems, while vehicles themselves have sophisticated safety and engine systems that communicate with the diagnostics heart of a vehicle.

 

According to the Frost & Sullivan Auto Trends, 2013 report “embedded connectivity is here, it’s big and it’s growing. In North America 70% of OEMs offer some form of connectivity today. By 2020 50% of new sales in China will be connected. Worldwide, fifteen brands launched connected services in 2012-13. But in Europe less than 50% of OEMs offer connectivity today, and in the emerging markets there is still huge opportunity as national infrastructures gradually develop”.

 

But we are not just talking about connected cars. Autonomous vehicles, connected parking, connected mobility, eCall and bCall, connected after-market services all depend fundamentally on companies like British communications specialist BT which provides the underlying networks and communications infrastructure that make possible these connections on the world’s roads, says the company.

 

BT is laying the roadside infrastructure which makes connected parking in smart cities, like Milton Keynes in the UK, possible. It also provides super-fast internet access and fiber broadband services which connect the car to the home. “Add into the mix cloud services, big data, cyber security and smart-device app management, and you are describing the world in which BT excels – the integration of complex communications services into and end-to-end systems,” says Martin Hunt, head of BTs Automotive Industry Practice.

 

Automotive Industries (AI) asked Rowland how seriously OEMs take the threat of cyber-attacks on vehicles.

 

Rowland: Far more seriously than one might think, but this only becomes apparent when speaking one-to-one. Publicly most OEMs say that the situation is firmly under control – which it is, given that there have been no major issues to date. Privately, however, many fear that 2015 will be the year in which the first major organized attacks on connected vehicles will be staged. We are in discussion with five major manufacturers to help prepare for this and other eventualities.

 

AI: What role has BT played in raising awareness?

 

Rowland: BT is just one of many voices calling for an urgent assessment of the situation. But the market reacted well to a recent BT point-of-view paper on the matter. And following our appearance at the AutomotiveIT Congress in July we were invited by a small number of senior industry figures to comment and advise on their connected car initiatives.

 

AI: Tell us a little about BT’s expertise in the area of cyber security.

 

Rowland: BT has long provided communications services to some of the most security-sensitive government agencies. In the private sector BT works closely with industries such as banking and finance that are far more advanced in their thinking about security than most others. Our clients in the pharma and life sciences sector are also very demanding when it comes to security. Another thing that distinguishes BT in the security field is our scale. We have one of the largest security practices in the businesses, with over 1,300 accredited personnel sitting in 12 Secure Operations Centers worldwide.

 

AI: How did BT’s security cover for the London Games 2012 help in providing solutions for other industries such as the automotive industry?

 

Rowland: Many of the threats we countered in the games came from hacker groups propagating malware via mobile phones – one of the most likely vectors for any attack on the connected car. A prominent hacktavist involved in attacks on the Games remarked to law enforcement agents that the security cloak thrown by BT over the Olympics had been as impenetrable as a concrete dome. We learned a lot.

 

AI also asked Craig Smith, CEO of Theia Labs and a co-author of BT’s whitepaper on the Connected Car to tell us the extent of the cyber-security threat.

 

Smith: Modern vehicles have hundreds of sensors and dozens of embedded computer systems all working together. Not only are these systems more complicated than earlier generations, but now they are connected to external resources such as mobile devices and the Internet. Every sensor increases the vehicle’s attack surface, which is where a hacker looks to find a vulnerability. The larger the attack surface the more likely a vulnerability will be identified. To compound the problem vehicles have enjoyed the safety of a closed network in which information can be trusted. With new external inputs into the vehicle these networks can no longer trust the data that travels across them.

 

AI: What  measures can automotive companies take?

 

Smith: The automotive industry already has measures in place to handle recall situations. However, when it comes to Internet connected devices response times have to be quicker and more efficient. The computers that run inside of modern vehicles are not much different than that of a desktop computer. Except in a vehicle they rarely see any updates or have the protections that your desktop has. The networks should segment the data preventing access to critical systems from general purpose instruments like the infotainment consoles. It should also be possible to record or validate the communication that happens across the network and identify when the software installation has been tampered with. Vehicle owners and local mechanics also need a way to audit and verify the vehicle’s installation and performance. These complex systems need a safe way to update that does not require a recall or even a service call.

 

AI: What are some of the systems that are particularly vulnerable to attack?

Smith: There are two that hackers would target: The infotainment system is essentially a stripped down version of desktop machines. This provides a very low barrier to entry for an attacker familiar with exploiting desktop systems. The other method is the CANBus network. With physical access to a vehicle’s internal CANBus, an attacker can easily manipulate the behavior of the vehicle.

 

AI: What role does Theia Labs play in providing cyber security to automotive companies?

 

Smith: Theia Labs specializes in reverse engineering and embedded systems analysis. We work closely with the automotive industry to identify potential vulnerabilities and correct them before they are abused. We also provide guidance to government and public awareness groups.

 

AI: What work has your company done with BT?

Smith: Theia Labs works closely with BT in developing security strategies to assist automotive manufacturers identify and mitigate the relevant risks.