Be sure to check out the first part in this series in which RSM's global Automotive lead, Lawrence Keyler, discusses how the automotive industry is currently in the midst of a reinvention and how smart technology is making our roads safer.
We are on the cusp of the smart vehicles’ era, which has the potential to usher in an age of unparalleled convenience, safety, and connectivity on the road. As discussed in the first article, cloud-based technologies are fixing to seamlessly connect the vehicles we drive to the cities around them, camera technologies are improving driver and pedestrian visibility, and sensor technology are increasingly able to prevent incidents in ways that we could never predict.
Modern cars have become more than just modes of transportation – they are rolling computers. However, as technology continues to evolve, so do the risks associated with it. According to Upstream’s 2022 Global Automotive Cybersecurity Report, there was a 225% increase in vehicle cyber incidents in 2021, when compared to 2018. With the good, comes the bad, and the era of smart vehicles, as with most technology, has its fair share of risks.
With the vast amounts of data that is collected in the automotive industry, data privacy is of most concern to the entire supply chain: from the automotive suppliers through to the Original Equipment Manufacturers (OEMs) as well as the ultimate consumer. Given the data intensity of the industry, there are significant concerns regarding the protection of data and the significant risk of data leakage. The continued evolution of smart technology and the data intensity involved, including the Internet of Things (IoT) and the amount of dynamic data that is generated, means that the automotive industry is one of the most susceptible and difficult industries to protect in terms of data privacy. Given the global nature of the industry, the regulatory and legal framework varies around the world with regard to the privacy of data; it is critical that the industry at large develop intentional and planned data destruction policies for safeguarding data and staying compliant with regulations.
Taking a deeper dive into the data security issues, as a result of the IoT and the connection to smart vehicles, the data collected can be susceptible to being shared with other connected devices and systems. Continued investment and development of autonomous technologies that are embedded in future connected vehicles will significantly increase the vast amount of data that the industry will be collecting. Other contributors such as 5G providing for high speed and wide range, will increase data being gathered bringing an enhanced focus on regulatory and legislative guidelines.
As we discussed in the first article, the data being collected facilitates not only the safety of vehicles but is also used to improve customer experience, overall performance and efficiency. The nature of the data includes extremely sensitive information such as the driver’s location and destination, medical information and history, most visited places, routes taken daily, and call history. If this information is compromised, it can give rise to driver exploitation, or even identity theft.
There is so much more to come around how to protect data. Advancement in securing data, the evolution of the regulatory framework and continued development of legislation and laws around the world will evolve. For the time being, consumer awareness of the issues is critical and the intentional focus and investments in providing secure infrastructure for the protection of data will continue to be a priority for automotive suppliers, technology companies and OEM’s.
Hacking and unauthorised access
We are already seeing vehicles with keyless entry systems; in fact, they have been around for a while and many, if not most, modern cars use keyless entry in some form or another. Newer, more advanced systems allow their owners to open their cars just by standing next to it, without having to press any buttons. The convenience of keyless entry systems cannot be understated, but that convenience comes with potential risks.
Malicious actors can use various methods to gain unauthorised access to vehicles, all of which generally revolve around mimicking the signals relayed by car keys to trick a vehicle’s built in systems to open the car. Older cars with keyless entry are especially vulnerable, since newer cars use rolling codes that are not susceptible to the same kinds of attacks. A minimum of 110 cars from 27 manufacturers were found to be at risk of this sort of attack. You may have heard about a hacking tool called the ‘Flipper Zero’ that made headlines after Amazon banned it for being a ‘skimmer’ tool that could read credit card information. Claims were also made that the device could unlock some vehicles, and whilst there is debate around the effectiveness of this specific tool for that purpose, there are plenty of other tools that would be more effective.
Vulnerabilities in vehicle communication
The smart vehicle landscape relies heavily on wireless communication technologies that allow vehicles to communicate with other vehicles and the world around them. This increased connectivity promises enhanced safety features that could decrease the amount of accidents for drivers and pedestrians alike, but as with all digital technologies, the higher the connectivity, the more chance that bad actors have to exploit them.
Vehicle-to-Vehicle (V2V) communication is the sharing of data between vehicles with the aim of enhancing safety and optimising various functions, including preventing collisions, coordinating groups of vehicles (platooning), and facilitating cooperative driving (i.e., anticipating the behaviours of other road users, whilst also sharing the road in a respectful and safe manner). V2V predominantly relies on wireless technologies, such as Dedicated Short-Range Communication (DSRC) or Cellular Vehicle-to-Everything (C-V2X). However, these technologies are susceptible to a range of cyber threats, including jamming, spoofing, replay attacks, and the injection of malicious messages. These attacks can compromise the integrity, availability, and confidentiality of the V2V communication, and potentially cause accidents, traffic congestion, or privacy breaches.
The connectivity does not stop there though, as a smart vehicles connectivity to the road infrastructure around them also has the potential for a smoother driving experience with safety at the idea’s core. Vehicle-to-Infrastructure (V2I) communication is the exchange of data between vehicles and the infrastructure located along roadways, such as traffic lights, signs, cameras, or sensors. V2I can enable various applications, including intelligent traffic management, monitoring road conditions, and smart parking. Just like V2V communication, V2I also hinges on wireless technologies, such as Dedicated Short Range Communication (DSRC) or Cellular Vehicle-to-Everything (C-V2X), rendering it susceptible to the same cyber threats.
In addition to these digital risks, the security of V2I can be influenced by the security of the infrastructure itself which opens the door to potential hazards like unauthorised tampering, malware, or unauthorised access. Such attacks have the potential to disrupt the functionality of the infrastructure and can consequently impede the safety and efficiency of vehicles that rely on these systems. If, for example, a traffic light got compromised and powered off, the potential consequences could be dire.
Weaknesses or flaws in the code or design of a smart vehicle’s software systems can be exploited by bad actors wishing to compromise their security or functionality. Smart vehicle technologies such as sensors, cameras, GPS, and wireless communication that enhance driving experience and safety, are also susceptible to software vulnerabilities that can pose serious risks to the users and the environment. Two such examples are:
- Over-the-Air (OTA) Updates: OTA updates are a way of remotely updating the software of a smart vehicle without requiring physical access to the vehicle. OTA updates can provide benefits such as fixing bugs, improving performance, and adding new features. However, OTA updates can also introduce new vulnerabilities or expose existing ones if they are not properly designed, tested, and secured. For example, an attacker could intercept, modify, or spoof an OTA update to install malicious code on the vehicle, which could then allow them to take control of the vehicle’s functions, steal sensitive data, or cause damage.
- Infotainment Systems: Infotainment systems are the devices and software that provide entertainment and information services to the driver and passengers of a smart vehicle. Infotainment systems can include features such as navigation, music, video, internet access, and voice control. However, infotainment systems can also be a source of software vulnerabilities if they are not properly isolated from the critical systems of the vehicle, such as the engine, brakes, and steering. For example, an attacker could exploit a vulnerability in the infotainment system to access the vehicle’s network and then manipulate or disable the critical systems.
Mitigating the risks
While this may all sound like doom and gloom, the positive aspects of smart vehicles far outweigh the potential risks. Even with looming potential concerns, the innovations that come with smart vehicles are set to increase the safety of the driving landscape immensely, and there are plenty of things that manufactures can do to mitigate these risks:
- Enhanced authentication: Robust multi-factor authentication methods ensure only authorised users can access and control the vehicle's systems, a fundamental security measure.
- Frequent software updates: Despite the potential risks of tampering, regular updates and patches are crucial to address known vulnerabilities and maintain the security of smart vehicle software.
- Secure communication protocols: Strong encryption and authentication mechanisms for vehicle communication protect against interception and manipulation of data, safeguarding against cyberattacks.
- Network segmentation: Isolating critical vehicle systems through network segmentation reduces the attack surface and prevents unauthorised access to essential functions.
- User data consent: Enforcing strict user consent policies for data collection and sharing respects individual privacy rights and enhances data security in smart vehicles.
With the widespread uptake of smart, interconnected vehicles just around the corner, it is essential to recognise and address the digital risks that accompany this technological revolution. By embracing enhanced security measures, the automotive industry can ensure that the benefits of smart vehicles continue to outweigh the potential risks. The evolution of the industry, regulatory frameworks, and legislation worldwide will shape the landscape of data security in smart vehicles. For now, consumer awareness, intentional investments in secure infrastructure, and a commitment to protecting data remain paramount. In doing so, we can continue to enjoy safe, connected, and secure rides into the future.