A chilling study examines the outcome of breaching a networked car. Retailers should consider the outcomes for ideas in response and operation choices.
Safety in automobiles has changed meaning. When I was an automotive engineer, antilock brakes had become widespread, and increased usage of traction control made rear-wheel drive cars attractive to consumers again.
The automotive industry has long emphasized safety in automobile design and function. Tech has advanced that safety, and the networked vehicle represents unprecedented advancement.
A networked vehicle also represents an epoch-making viewpoint: an automotive safety threat can come from someplace not entirely on or near the road.
In July, two hackers successfully demonstrated how a vehicle could be wirelessly infiltrated. Charlie Miller and Chris Vaselek hacked the controls of a test Jeep Cherokee and remotely controlled the vehicle’s steering and cut power to the brakes. The trick was demonstrated for Wired magazine, with writer Andy Greenberg driving. The pair exploited the vehicle’s entertainment system to dispatch escalating tricks, from cutting on the wipers and radio to reducing the vehicle’s speed while it was on the highway.
Such “technological larceny” is an evolved viewpoint on automotive theft. Vehicle alarms were the forefathers of vehicle security, and, over time, those measures increasingly made automobile theft too difficult. So thieves began targeting car parts rather than the vehicles. Many vehicle features fetch a fair price, and accessing a portion of a vehicle was a better risk than wasting precious time fighting security that disables the ignition or triggers an alarm. Ask anyone about the benefit of a steering wheel lock, and you get the gist.
Thieves are now focussed on accessing vulnerable vehicle tech. A typical approach in an attack on an Internet-connected system includes:
- Discovering information about the intended target through network enumeration, a protocol for identifying a network, connected devices, and associated metadata.
- Identifying system vulnerabilities that are suitable for an attack.
- Compromising the system by taking advantage of the vulnerabilities discovered.
Theft from new tech-savvy criminal elements is not the only concern on the horizon for the automotive industry, scale and disruption are as well. For instance, Tesla has successfully entered what was once considered an industry with a high barrier to entry. Today I am reading about competitors to even Tesla!
The end result is incorporating innovative precautions to help prevent scary intrusions like the one Miller and Vaselak enacted. Tesla has already shown that it can transmit vehicle feature changes as customers download software upgrades.
But an upload of patches is not the end-all of security. Effective security is a set a behaviors, not just specific features, and such behaviors will have to be taught to not only customers who buy high tech cars but to suppliers who manufacture the components as well. That behavior is what any industry with an interest in the Internet of Things should pay attention to.
The automotive industry has an innate ability to engineer parts and manage a supply chain that supports its manufacturing. Thus, it is worthwhile to combine technological IOT security development with ideas on deploying development measures across a supplier chain.
There are a few steps businesses in other industries can learn from the automotive industry as it moves ahead with advanced security.
Teach customers how to keep vehicle tech network secure. Because thieves are now tempted to breach vehicle tech, automakers must demonstrate ways to show owners how to keep that technology protected. Offering means to maintain a protected network identity can keep the product and associated network private. The customer experience must be worry free.
Using analytic techniques to confirm intrusion points. For example, a website in which customers process by password can leverage packet sniffers, software that captures data packets. Packet sniffers are usually deployed to confirm functionality when installing analytics on a complex site, but it also helps address data packets that are used to capture passwords and other data in transit over the network.
Establish a central vulnerability test team in product development. That may be easier said than done, but automakers can leverage an advantage. It takes three years to develop a vehicle, and automakers do have a number of vehicle lines to develop. A central security team can establish continuous safety protocols, coordinate deployment of solutions, and work with outside agencies when merited.
Robin Chase, founder of Zip Car, once wrote in an online essay on driverless cars that she thinks “it is the fully autonomous car that is going to be game-changing.” But before the world arrives at a comfortable point with autonomy in vehicle, it must arrive at a secure point with vehicular technology.