Driving better application security in connected cars

There is no question that driverless cars are on the British agenda. First featuring in the 2015 Autumn Budget, the government's aspirations for the UK to be a global hub for this technology was reaffirmed with further plans outlined in the Modern Transport bill during the Queen's Speech.

However, Britain isn't alone in pursuing this innovation in transport. Globally the industry is booming, with research from IDC, commissioned by Veracode, predicting the total value of the automotive-related Internet of Things market in 2016 at $140.3 billion (£100bn).

This is perhaps unsurprising given the increase in competition in this space: extending from automotive manufacturers to software companies and component manufacturers, such as Google and Apple.

Are connected cars secure?

But beyond the hype of ever more connected and autonomous cars, serious questions around the security remain. Indeed, no matter whether a computer, smartphone or connected car, no Internet-connected device is 100 per cent secure, as the software that runs the device is connected with external data sources. For connected cars, this might be a cloud-based application or another connected vehicle.

While this might be a new threat to cars, connecting any device to a global network introduces significant risk. Just like before computers were networked, they were fairly safe. With the exception of viruses being transferred using physical devices, like floppy disks, connectivity creates a whole new wealth of threats to cars.

Software vulnerabilities found in the car's network connections pose one of the greatest threats to connected car security. Again, this isn't a unique threat to cars, but one that the information security industry has battled for decades. An increasingly popular attack vector, the number of cases has risen 66 per cent year on year since 2009.

Hackers are constantly testing mobile applications and web interfaces for vulnerabilities, and when flaws are exposed, the results range from breaching sensitive information (as in the case of the 2015 TalkTalk hack) to remotely stopping a Jeep Cherokee as it drives down an American highway.

Secure applications for safe vehicles

The idea that connected cars will become an app platform raises significant challenges for securing vehicles against cyberthreats. This issue is heightened by the fact that manufacturers have no advance knowledge about which third party applications drivers are likely to download onto the car’s app-platform when designing its security features.

However, the auto-manufacturing industry are aware of the threat this poses. In a recent interview of a number of leading vehicle manufacturers conducted by IDC, it was predicted that it could take up to three years before the security features of connected car application systems are prepared for today’s cyberthreats.

One approach that manufacturers have adopted for securing connected vehicles involves separating infotainment systems from driver functionality. This provides an air gap between any consumer applications that drivers may download and the integral vehicle operations, helping to reduce the impact a malicious actor might have upon the physical safety of the driver, passengers or those in close vicinity to the vehicle.

Where responsibility lies

With the Highway Code and laws in place to help ascertain where responsibility lies for drivers involved in accidents, the question of responsibility when a car is operated by a computer introduces new questions.

The understanding around who is responsible for the application security of connected vehicles, as well as the risk software vulnerabilities pose, is a natural extension of this question. For instance, should a manufacturer retain liability for the entire car package when threats are introduced at a later date by users downloading third party applications?

Drivers are currently split on where the responsibility lies for securing connected car applications. When asked who should be held liable if they downloaded an insecure application which introduces a vulnerability into their car, the majority of drivers (40 per cent) would hold themselves responsible, a fifth (20 per cent) would hold application developers and manufacturers to account, while 17 per cent blamed the app store.

With such disparate opinions around where responsibility lies, clear regulatory standards are needed to ensure all stakeholders - car manufacturers, technology vendors, and drivers themselves - know when they could be held liable.

This certainly isn't the only space where the government is forced to play regulatory catch up on fast evolving technology. Cyber liability and encryption continue to challenge the government to meet the demands of the new digital age. However, the physical risk introduced by this technology means that resolving these questions must be a top priority before an incident occurs.

Secure by design

Ultimately, no matter where liability is assigned, it is important that application security testing plays an integral role in all stages of connected car development. Only through approaching security throughout the design phrase of a car - whether the in-car network or a third party application - can we reduce the risk that hackers play to our roads.

With the cost of a connected car breach extending from data loss to the potential loss of life, it is important that car manufacturers and technology vendors work closely with the cybersecurity industry to ensure its measures are best in practice.

Only through adopting a collaborative approach to securing the connected car, can we ensure that Britain's great ambitions to be a global leader in this space don't come at a cost to citizens’ safety.

John Smith, principal solution architect, Veracode

Photo Credit: ssguy/Shutterstock