Three years until connected cars are cyberattack-proof?
The road may soon be full of self-driving cars -- like Google's (above) -- but how secure will they be?
It could be years before connected cars are fully secured against cyberattacks, researchers have warned.
While car makers and software companies are keen to add new features to cars -- including testing fully autonomous vehicles on the road -- there are still significant concerns about the security implications.
Indeed, research carried out by analysts at IDC on behalf of application security firm Veracode found that half of drivers are concerned about the security of driver-aid applications in vehicles, such as adaptive cruise control, self-parking, and collision avoidance systems, many of which are increasingly reliant on being connected to the internet.
The fears don't come without justification; last year, security researchers discovered a vulnerability in Jeeps equipped with a Uconnect in-vehicle connectivity system which enabled hackers to take control of the car and drive it off the road,
IDC predicts a security lag of up to three years before systems catch up with cyber threats. In particular, it said driver-downloaded applications pose security challenges. "All manufacturers interviewed reported concerns around the security of critical systems being exposed to applications they did not develop, creating situations where safety of the vehicle would 'leave the control of the manufacturer'," it said.
Therefore, cybersecurity has to be a concern for any organisation in the automotive industry, be it a traditional car manufacturer or a technology behemoth, because the consequences of a cyberattack on a moving vehicle could be potentially fatal. Yet at the same time car manufacturers continue to build internet-connected features without thinking about the requirements for cybersecurity.
"What we're seeing happen in the auto industry is a microcosm of what's happening in financial services, healthcare, and virtually every other sector -- applications are not created with security in mind, creating a major area of risk," said Chris Wysopal, CTO at Veracode.
So, why aren't car manufacturers taking cybersecurity seriously? According to Alexandra Luck, principal of A Luck Associates, an asset and risk management firm, this has occurred because so far been there has been no incentive for them to spend money on security.
"If an organisation at the senior level thinks somebody is going to be knocking on their door and they'll be in trouble, then they'll spend the money on it. Or if they see there's some sort of commercial advantage, they'll be motivated to do it," she explained, speaking at a recent event on cybersecurity at The Institute of Engineering and Technology in central London.
"What will happen if something goes wrong? And do they consider that a significant enough impact on their finances or reputation? I think that's the only way organisations will spend that money, if they see a gain. Or if there's sufficient demand from their customer base for that level of security to happen," Luck added.
Mike Parris, head of the secure car division at automotive technology consultancy and research firm SDB, argued that legislation must compel the auto industry -- which he suggested doesn't like to spend additional money if it could be helped -- to take cybersecurity in vehicles seriously.
"At the moment, security will only ever increase the cost; it's hard to believe anybody would sell more cars because they are secure; you kind of expect them to be secure. And there are no standards for automotive cybersecurity, so at the moment there is a bit of a block," he explained.
Parris expressed hope that the car industry would recognise that if it doesn't spend money on cybersecurity, that in itself will result in painful costs down the line, as they're forced to play catch-up.
"It would be nice to think that people will be enlightened and they will take a view on the cost of not adopting cybersecurity standards and such like; there is evidence that is starting to happen, but at a relatively low level," he said, adding: "I do feel that a bit of a push of legislation or regulation might be a slightly less catastrophic motivator than somebody dying."