GlobalSign Blog

07 Apr 2016

IoT Security in the Auto Industry

When we consider the Internet of Things (IoT) in the automobile market, most of us will think about the connected car or the Google car. Today, these benefits are consumer orientated and provide basic convenience, maintenance and safety functions. In the future, especially with the ongoing development and testing of the self-driving Google car, our entire experience with how we interact with our cars will be revolutionized. Someday, we may just all be passengers where vehicles communicate with one another, to maximize safety and optimize efficiency to get us from point A to point B.

If we then mention security, the 60 minutes piece that aired in 2015 about hacking the internet-connected Jeep most likely will be top of mind. Was it sensational? Sure, but it did highlight a potential critical flaw and security vulnerability that resulted in 1.4 million vehicles being recalled. Additionally, car manufacturers are increasingly marketing their connected features from onboard Wi-Fi, to mobile apps that control the locks and even start vehicles. In these cases, the novelty of these “cool” features often outweigh the negative impacts. So what happens when the consumer’s phone is stolen? Are there appropriate security and authentication measures in place to ensure their car is then not stolen as well? These are all things to think about.

Should we as consumers be concerned? Maybe, maybe not, as it may still be too early for these issues to turn into an epidemic. However, we should start becoming more aware of these connected features and how they can impact us, both positively and negatively. Security will need to be addressed especially as more vehicles offer internet-connected features. Our safety and the privacy of our personal information and property will depend upon it.

New Risks Facing Auto Manufacturers

For now, the people who should be really concerned about these vulnerabilities are the auto manufacturers. Negative high-profile news like the 60 minutes piece can be quite damaging to their brands and reputation. Additionally, these vulnerabilities put consumer safety at risk and significantly drive the cost of warranty replacements up when repairs are needed on potentially more than a million vehicles. Nobody wants to be associated with a story such as that and have to deal with expensive reputation repair and resulting financial losses. Fiat Chrysler has had to do a lot of damage control, including an extensive and costly recall of their vehicles. Now, if something tragic had resulted from this, the damage could have been unrepairable and affected whether the manufacturer would be able to stay in business or not.

The good news is that the auto industry does recognize this and cybersecurity is now being addressed by the Alliance of Automobile Manufacturers, an association of 12 vehicle manufacturers including BMW, Fiat Chrysler, Ford, GM, Jaguar Land Rover, Mazda, Mercedes-Bez, Mitsubishi, Porsche, Toyota, VW and Volvo.

But, issues like this may just be the tip of the iceberg of security concerns for car manufacturers. While hacking a vehicle and taking control over some of its functions gets the media attention, what happens during the engineering and manufacturing stages could be the most critical. Here are a couple of examples…

Security Concerns on the Manufacturing Floor

The automobile manufacturing process needs to be very precise and meet the highest quality standards to put a car on the road. The safety of everyone on the road depends upon the quality of vehicles being manufactured and sold. The manufacturing process is now very automated (almost fully). To further optimize the process, manufacturing facilities and the equipment are being interconnected to share and analyze important data. This is Industrial IoT (IIoT). What can be done with this data can be very powerful and potentially save manufacturers millions of dollars. However, connecting this equipment does open new vulnerabilities, which can put the manufacturer, its employees and consumers at risk.

If a malicious attack is successful at compromising a piece of manufacturing equipment or software service, serious issues can occur. If a hacker is able to gain access to a sensor that monitors the operating temperature of a piece of manufacturing equipment, how could that potentially affect the safety of the employees? Now, what if an attack is successful at making a simple modification to the software that instructs a piece equipment as to how many bolts it installs to brace the framing of the car in the assembly process? How would that impact the safety of the consumer? It’s these behind-the-scenes IIoT security scenarios that must be addressed before they become the next sensational news story.

Ensuring Firmware Integrity

Now that cars have basically become computer processors on wheels, there is a significant amount of software and firmware on board that controls many of the vehicle’s functions. The initial install of this software and firmware is carried out during the manufacturing process and generally conducted in a controlled environment. However, as the vehicle hits the road and ages, it’s inevitable that there will be software and firmware upgrades. These upgrades could be performed by certified dealers or any mechanic that has access to the vehicle. How do you know that right software or firmware is being installed in your car? You probably have no clue and your mechanic may not know either. However, if the software/firmware was signed, the integrity can be validated and ensure that only the proper updates are made and malicious software, or firmware is not installed in your vehicle.

For more information on securing the Internet of Things, visit our resource center.

Share this Post

Subscribe to our Blog