When we think of the Internet of Things (IoT) devices, most of us think of small sensor-equipped devices used in homes, hospitals, business and industrial settings. But there’s a much bigger and far more complicated IoT device out there: the connected car.
As connected vehicle technology progresses towards the ultimate goal of fully-autonomous vehicles, they are picking up more and more of the technologies and characteristics associated with IoT. Vehicles with sensors reading the environment, uploading data for analysis, receiving information about how and when to make a turn, how far a gap there needs to be with the vehicle ahead and the proper speed for traffic and weather conditions are being created.
These applications are designed to enhance the driving experience and open drivers to new possibilities. All of these applications are available through internet connectivity. With built-in sensors that tell the controlling server exactly what is happening at any time, connected vehicles are the logical extension of the IoT revolution, in which connected applications take care of many of the chores for which the driver was formerly responsible.
The Vulnerability of Connected Vehicles
But like other IoT systems, connected vehicles are vulnerable to hacking, data corruption, remote hijacking and more. Unlike with other IoT systems that may be compromised, the outcome of an attack on a connected vehicle won’t be just a break in data collection or even data theft. A compromised connected vehicle could well result in the death and injury of dozens if the compromise were to take place when a vehicle is speeding down the highway at 65 MPH.
Although hacking a vehicle would seem to be a far more difficult operation than hacking a refrigerator or a baby monitor, the method of attack in both cases are remarkably similar. Like devices, vehicles upload and download data via a cellular or local network. So the same methods that hackers use to reach a device could enable them to reach a vehicle, too.
In fact, it might be even easier to hack a vehicle than a baby monitor. To compromise the latter, a hacker needs to break into the home or cellular network the device is using, and to do that they need credentials that will give them access either via an email phishing scam pretending to be a service technician on the phone, credential stuffing, etc. But the network is really the only attack vector for device hackers.
But vehicles have numerous attack vectors. A hacker could exploit a vehicle via its infotainment system, a USB connection, Bluetooth connection and of course its cellular network, either built into the vehicle or via its cell phone connection. There’s even an exploit in which hackers can compromise a vehicle via its tire-pressure monitoring system (TPMS), a system that tells drivers if their tires are low on air. Hacking into a TPMS, a bad actor could send an impossible condition to the Advanced Driver Assistance System (ADAS) Engine Control Unit (ECU), thus tricking it into overcorrecting for spoofed road conditions, or convincing a driver they have a flat tire, causing them to pull over to the side of the road in a remote area, exposing themselves to danger from thieves or carjackers. Instructions on this and many other hacks are publicly available online.
Protecting Connected Vehicles
Needless to say, the consequences of hacking into a “moving IoT device” could be much more serious than that of a stationary one. If a vehicle traveling 65 mph down the highway is compromised, it could be a question of life or death. With higher stakes comes a much greater need to ensure security. Unfortunately, security is another area where IoT devices, in general, are not differentiated from computers and networks. Hackers use the same tricks to get their credentials or force their way into a device as they do a network. With malware so ubiquitous, this is obviously an unacceptable situation. What more can be done to protect vehicles?
One way could be for manufacturers to install intrusion detection systems that would constantly check the vehicle’s electronic systems for unusual activity. For example, if an instruction that is sent from a central server to a fleet vehicle is supposed to be twelve bytes in size and the vehicle gets one that is larger or smaller, that could be a sign that someone is trying to compromise the vehicle. In that case, the monitoring systems could generate an alert or in some cases even instruct the targeted vehicle system to reject the instruction. In a similar manner, intrusion detection systems can keep out unwanted network communications and detect when an outside party is tampering with the TPMS.
Connected vehicles are as vulnerable as any other IoT device, but they need more security than other devices. Manufacturers realize this and have been working to build better and more advanced security systems to protect vehicles. Within just a few years, there are going to be millions of these “super-IoT” devices on the road; let’s hope that we can get the security issue under control long before that.
Written by Yossi Vardi of SafeRide Technologies.