Internet connected vehicles are about to become commonplace, with most of the automotive industry adding some type of interface to connect cars. Even though this is a big stride and one that fits nicely with the launch of self-driving cars, it also brings a major security risk to the forefront of the conversation.
Having a computer control anything of significant value is a risk without the proper security, and a computer on wheels is a whole new world of risk. Lookout’s Kevin Mahaffey and CloudFlare’s Marc Rogers found that out when attempting to hack the Tesla Model S.
Even though Tesla is one of the few car companies that hires experienced developers and security officers, the duo found six vulnerabilities that allowed them access to the main hub on the Model S. From there, they could stop the car, turn on music, change directions and more.
"We identified six vulnerabilities in the Model S that ultimately resulted in the ability to, with initial physical access to the car, gain full control over the vehicle's infotainment system and be able to perform any action accessible to the center touch screen or Tesla's smartphone app," said Mahaffey.
This may not seem like a big deal, but it opens up conversation for the future of cars.
When a self-driving car has the route changed, the driver may not even realise. A driver might go to sleep on a long drive and wake up to find his car parked on the side of the road, because someone managed to turn off the entire vehicle.
These are things that could happen, according to Mahaffey, if the right security measures are not put in place. Isolation of the vehicle from the infotainment systems is the first order of business, keeping information of the car secret and locked in a secure vault.
Rogers and Mahaffey also claim over-the-air updates must become standard. No more recalling of cars en-masse if a security risk crops up. Tesla updates the Model S every few weeks, and in the future security fixes will need to be pushed every few days.
This will keep the car safe from potential hackers, by installing the latest firmware to protect from old vulnerabilities. We would also push for an open source standard for automotive companies, instead of having every car manufacturer build their own systems.
Third, secure individual parts of the network instead of adding more wooden beams and iron fences around the perimeter. This means security on each part of the system, instead of layering the entire system in one secure blanket. Hopefully, if hackers do get past that first layer, they will only be able to access a small amount of infotainment systems.
The connected car will be a new frontier for developers and hackers to dig into, but with the right protections and standardisation of security, the industry should be able to fend off most attacks.