Road safety and cybersecurity overlap when it comes to the millions of connected vehicles used around the world by both businesses and individual consumers. Automated vehicles, “smart cars,” and cars with live online assistance—these options offer convenience, performance and safety benefits for drivers, but in some ways, they can also make drivers vulnerable to a new range of unseen cyber threats.
Vulnerabilities in the hardware and software that make connected vehicles “smart” can create an opening for criminals who may seek to steal information, or even take control of a vehicle remotely, which can pose a serious threat to physical safety. Cybersecurity that can quickly detect and alert drivers about suspicious activity can help owners of connected vehicles face an evolving world of new threats, says Gil Reiter, vice president of product management and marketing at SafeRide Technologies.
“As more and more cars are connected to the internet, and incorporate more complex software to bring advanced capabilities, conventional security measures are not sophisticated enough, and cannot deploy quickly enough to handle the growing number of threats,” Reiter told R&D Magazine in an exclusive interview. “Most vulnerabilities in vehicles today are unknown until an attack happens.”
Vulnerable cars, motivated criminals
As with computers and mobile devices, zero-day vulnerabilities (flaws that are present when a product is first released, and can be exploited by hackers unless they are detected and patched) can impact the security of connected cars—and several of these vulnerabilities have already been brought to light in recent years. This past May, a group of researchers from Tencent Keen Security Lab discovered 14 vulnerabilities in connected BMW cars that could allow unauthorized access, either locally or remotely, to the vehicles. And back in June 2015, the discovery of flaws in Fiat Chrysler’s Jeep Cherokee led the company to recall several vehicle models—about 1.4 million vehicles total—to update their software.
Although these particular bugs were discovered by researchers and not known to have been exploited by malicious hackers, Reiter gave several reasons why cybercriminals may have motive to develop exploits to target connected vehicles.
“There is endless motivation for cybercriminals to target connected vehicles, including theft of personal information, ransom, terrorism and more,” he explained. “Moreover, commercial connected cars get even more attention from cybercriminals given the function they serve in complex global supply chains, and their higher value.”
Detecting abnormalities with artificial intelligence
Unlike other malicious actions against vehicles, such as tire slashing or carjacking, hacking of connected cars can happen under the surface, undetectable to the driver until the real damage is done. Cybersecurity experts fight technology with technology, using tools such as firewalls, virus scanners, malware removers and even artificial intelligence to keep users’ systems safe.
One security tool for connected cars, called vXRay and developed by SafeRide Technologies, uses AI specifically to detect potential “symptoms” of a cyber infection, by monitoring vehicle data—such as sensor values and activation commands—and flagging abnormal behavior that strays from the baseline of activity. The technology was demonstrated at the CES 2019 conference earlier this month.
“vXRay monitors the vehicle’s internal network, where communication between different components and the external world take place,” Reiter explained.
Any anomalies detected by the automated system can subsequently be brought to the attention of the car’s security operations center, where the data can be analyzed, potentially bringing to light the root of the problem—including any unpatched vulnerabilities.
Because not every vehicle will have identical communication patterns from the jump, the AI component of vXRay first learns the “behavioral profile” of the machine to make informed decisions about how to flag and categorize potential threats. Because the system is designed to notice changes in the car’s functions rather than identify whether a known threat is present, yet-undiscovered threats could be detected, Reiter said.
Adapting to a new reality on the road
Industry forecasts indicate that connected vehicles are set to become the norm over the next decade. A 2017 report by PwC estimated that there was a population of about 31.3 million connected vehicles in the United States that year, and predicted the population would jump to about 146 million by 2030. Moreover, the report estimated that about 88.9 percent of new car sales in 2017—throughout the U.S., the European Union and China—were of connected cars. The report forecasted that 100 percent of new cars would be connected beginning as soon as 2022.
Reiter expressed that the automobile industry could face unique challenges catching up with the quick introduction of connectivity to so many vehicles on the road.
“The IT industry had three decades to evolve its technology and cybersecurity habits to get to a point where it’s fundamentally safe to use computers for financial transactions and personal information storage,” he said. . “The automotive industry, on the other hand, is adapting applications from the IT world quickly, but a lot of its technology is out of date.
“It is traditionally slower for the automotive industry to adopt new technologies because of safety concerns, and because of the huge financial investment,” he added. “This leaves a growing gap between the number of possible attacks and the number of security measures cars utilize.”
Some surveys suggest that cyber risks associated with connected cars are not being ignored by the public—for example, automotive research company Kelley Blue Book presented data at the RSA Conference in 2016 showing that 62 percent of respondents to a 2015 survey said they feared cars would be easily hacked in the future. Another survey by PwC, from 2016, found that susceptibility to hacking was identified by 28 percent of respondents as a disadvantage to autonomous vehicles specifically, the second most common response behind “safety concerns” (43 percent).
Reiter says it is important that owners of connected and autonomous vehicles are aware of the cybersecurity risks.
“In the same way owners of smartphones and computers know that their personal information can be hacked and their accounts can be locked, and in the same way that owners of home security systems know their video camera feeds can be hijacked, connected vehicle owners should be concerned about all of the above as well, and about their safety,” he concluded.