December 27, 2016
Imagine driving down the road when, without warning, your car takes on a mind of its own – adjusting settings on the audio and climate control systems. Or even scarier, it triggers the brakes to stop functioning. While this might sound like the plot of a new blockbuster thriller, the threat of cyberattacks on automobiles is real.
The automotive industry is integrating smart consumer technologies to improve the driver experience by including conveniences such as remote car starts from a smartphone, in-vehicle Wi-Fi hotspots, and dashboard food and entertainment apps. These conveniences, however, bring increased vulnerabilities for cyberattacks because cloud-connected technology may serve as a gateway for cybercriminals to access car systems.
Rob Barrett and Jack Dunham, who are part of the UL automobile cybersecurity team, were recent guests on the Rapid7 podcast, in which they focused on the potential risks of car technology hacking and the need to build better security protections against them.
“All of your electronic conveniences are, potentially, electronic vulnerabilities,” said Dunham. “In a pre-connected era, the worst-case scenario might have been the loss of your personal information or your credit card number. But automotive hacking has now made the real worst-case scenario the potential loss of life.”
The mounting concerns about the potential for auto hacking led the U.S. National Highway Traffic Safety Administration (NHTSA) to recently released guidelines aimed at protecting vehicles against potential cyberattacks. The goal of the guidelines is to ensure that cybersecurity is a key consideration for car designers and manufacturers in a world where connected electronics increasingly will control cars. Among their recommendations, the NHTSA notes that:
- Brakes, acceleration and steering — components labeled as “safety-critical vehicle control systems” — should be a priority area of focus for automakers.
- The “doorways” into a car’s basic electronic systems, which software developers use to fix bugs, should be locked down or sealed shut once cars hit the road.
- Encryption keys and passwords that give access to a car’s computer should not provide access to multiple vehicles.
The focus on preventive measures goes beyond the NHTSA – Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) championed a 2015 bill known as The Security and Privacy in Your Car Act or the “SPY Act.” This pending legislation calls on the NHTSA and the Federal Trade Commission to create new standards that would effectively require automobile manufacturers to build information technology security into connected cars.
In working with key stakeholders, UL supports getting ahead of vehicle cybersecurity before it becomes an issue. According to Barrett and Dunham, a proactive approach to security, rather than reacting to threats as they arise, is critical to protecting people and enabling automakers to continue to innovate with in-vehicle technologies. Testing for cyber vulnerabilities should be part of a standard suite of tests that automakers conduct before they put them on the market and on the road. Doing so would offer greater levels of cybersecurity assurance for connected cars and autonomous vehicles, much like UL testing and certification has done for more than a century in other areas of the marketplace.
Just this year, UL launched its Cybersecurity Assurance Program (CAP), which helps manufacturers, purchasers and end-users, both public and private, mitigate the potential security risks of interconnected devices through methodical risk assessments and evaluations. As automakers continue to explore new car technologies, including options for autonomous driving, the ability to better secure connected vehicles will be more critical than ever. By identifying potential security risks in this technology and suggesting methods for mitigating those risks, UL aims to help automakers usher in a new era of connected and autonomous cars with a strong peace of mind.