September 5, 2017
Remember the days when the biggest choice car buyers had when selecting an entertainment package for their vehicles was whether to opt for the single CD player or the six-disc changer? Nowadays, that next car purchase might more closely resemble a smartphone on wheels.
That’s because the automotive industry now integrates the latest consumer technologies, including innovative infotainment systems, to improve the driver and passenger experience. Dashboard maps and entertainment apps, in-vehicle Wi-Fi hotspots and video calls are just a sample of the infotainment capabilities offered with the latest car models.
These modern conveniences, however, bring increased vulnerabilities for cyberattacks because the connected technology that enables this increased functionality may serve as a gateway for cybercriminals to access car systems.
Gonda Lamberink, business development manager in UL’s Consumer Technology division, is part of the UL Vehicle Cybersecurity team working to bring awareness to the potential risks of car technology hacking and the need to build better security protections against them.
“When you think about the connected car, today's infotainment system has the most connectivity to the outside world – making it one of the more exposed systems in the car,” Lamberink said. “There’s always a cyber risk with, for example, any app downloaded or purchased through app stores. Apps running on your mobile device are now operated through the dashboard head unit and open up a portal to the car that increases the vehicle’s vulnerability to cyberattacks.”
The risks, however, go beyond the data vulnerabilities of pairing smartphone apps with the vehicle’s dashboard through the use Bluetooth or USB. Because the infotainment system also interfaces through the CAN bus and other internal vehicle networks with other car systems, critical safety functions could be implicated. Cybercriminals can potentially take over the car’s audio, climate controls or – worse – the brakes.
UL’s teams in Fremont, Calif., and Leiden, the Netherlands, conduct research and work with customers to uncover the potential cybersecurity risks inherent in connected car technology. Using penetration testing, as well as vulnerability analysis and fuzz testing on different infotainment and connected car systems, the teams collaborate and align closely on how best to approach a security test, through threat modeling and risk analysis. The teams then present critical findings to help customers understand the potential risks.
“The industry has woken up to the security risk,” Lamberink said. “In-car entertainment has been a core area of cybersecurity focus because of the external exposure and, by and large, the car manufacturers have built up teams of in-vehicle security experts to address the potential vulnerabilities created by increased entertainment functionality.”
Riding into the Future
Beyond greater infotainment luxuries, car manufacturers and software developers have only begun to scratch the surface of the possibilities promised by the broad adoption of autonomous vehicles. As with in-vehicle entertainment, autonomous driving presents its own set of cyber and physical security risks. These risks have not stopped the competitive race to roll out this emerging technology; by governments across the world. Government agencies also, and increasingly, discuss cybersecurity regulation, to mitigate risks.
In the U.S., members of congress are working to pass the first federal legislation that addresses driverless car technology. There’s a bill on the House floor that would “bar states from setting certain driverless car rules and allow manufacturers to deploy up to 100,000 self-driving vehicles per year without meeting existing auto safety standards.” Meanwhile, the British Department for Transport urged manufacturers to “design out hacking,” underscoring that board members of companies selling connected cars will be held personally accountable if their products get hacked.
“The hacking risk is real. If today’s big trend of the car evolving into a mobile phone on wheels presents one level of security and safety concern, tomorrow’s move toward autonomous driving functions and intelligent transport ecosystems is an even bigger one,” said Lamberink. “The car is going to be even more connected in the near future, and it’s critical that the industry keep pace with the security risks.”
UL supports getting ahead of vehicle cybersecurity by working with key stakeholders to ask and answer the tough questions needed to design safety in – and hacking out – of the software that powers connected cars and autonomous vehicles. Proactively testing for cyber vulnerabilities rather than reacting to problems as they arise should be part of a standard suite of tests that automakers conduct before they put their vehicles on the market and on the road, according to Lamberink. Doing so offers greater levels of cybersecurity assurance for connected cars and autonomous vehicles – and peace of mind for drivers.