The Connected Car Conundrum

Our cars have long been an extension of us. And, as we have become more digitally connected, so have our vehicles. Features such as navigation and multimedia streaming are increasingly being offered as standard, propelling the global connected car market to more than USD 219 billion by 2025.  

China and Hong Kong are seeing great demands for connected cars, with consumers placing more emphasis on connected car technology than on the usual engine performance when it comes to buying a car.

This growing trend has also sparked the Hong Kong Productivity Council (HKPC) to form the Hong Kong Connected Vehicles Cluster (HKCVC) to facilitate an exchange of ideas among industry practitioners, focusing on four key technology areas that included cybersecurity.

The advancement of technology helps make our lives more convenient. However, there can be gaps in which hackers can exploit such as your connected car.

If It's Connected, It CAN Be Hacked

It used to be that the biggest risk was your physical car keys being stolen. However, with technology progressing fast, your digital keys are likely to be even more sought after by criminals.

Let’s assume that the car manufacturer has a central server that’s getting feeds from all its vehicles, for example with data on your location. This data may be stored on the manufacturer’s premises, or it may be stored in the cloud. Either way, your car will have to authenticate in some way to connect to this central system, creating a new trust issue.

How does the manufacturer trust, if your car is talking to its central system, that it is that car? Or how do you trust, if the central system is talking to your car, that it is the central system?

Hackers will be trying to compromise that connectivity, and to do this, they need two things. First, a route to connect to the system, for example, an open WiFi. This has been a known technique since 2015 when hackers remotely compromised a Jeep Cherokee and paralyzed it on the road.

Second, they will need a credential or permission to get in. These are your digital keys. What this means is if your car is open to connections or communications from an open source. If there’s a weak password, then attackers have got the credentials to gain access to your vehicle.

The Driverless Threat

The big question is if that connection is compromised, what could an attacker do? Inevitably, the threat will become greater as technology advances, and when driverless cars hit the road in 2021.

This will take the capabilities of our connected cars to a whole new level, and the biggest danger is that a vehicle will be taken over.

There is a huge amount of work happening right now, across the industry, to ensure that cybersecurity is fully integrated as part of the driverless vehicle development process. However, if someone did compromise that connection, he or she could start to impersonate communications and send bogus commands to the car. Or vice versa – they could tell the central system that the car is over here when it's somewhere entirely different and force a crash.

How Attackers Watch and Learn

Indeed, attackers won’t automatically know how to configure or administrate driverless cars. However, we don’t need to look far for examples of where attackers have lurked inside the infrastructure until they had the knowledge to take control and cause considerable damage.

With the Swift Bangladesh Central Bank heist and the Ukranian power network hack, attackers got into the critical assets, and they watched and learned until they knew how to make a transaction or turn off the power. We can expect to see a similar approach being attempted to compromise driverless cars, with attackers holding the keys for a long time before they take the wheel.

Of course, full control of the vehicle is not the only motivation for cybercriminals. We may also see attempts to track the journeys of high profile targets. Attackers could silently collect travel data, while also using advanced social engineering techniques, to build a comprehensive picture of the person’s habits and whereabouts. This could potentially lead to a new type of online blackmail.

As car connectivity continues to increase, there are even more digital identities to manage, secure and, ultimately, trust.  The onus is on the manufacturers to keep customer data secure and ensure personal safety, and that all starts with protecting these trusts and any respective credentials.

This contributed article is from Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific, and Japan at CyberArk. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.