The world is headed for a future where humans don’t need to drive anymore. Over the coming years, vehicles will become increasingly automated, and eventually, Australians will not need to drive a car at all.
In the automotive industry, there are a number of approaches to achieving this outcome. Companies like Waymo, GM and Argo (investments from Ford and Volkswagen) are all using a tech stack that relies on LIDAR mapping of the environment and HD Maps. Others like Tesla and Commai.AI are using computer vision (AI) fed by cameras, radar and ultrasonic sensors.
The space of autonomy is still incredibly new, with legislation racing to catch up to the rapid developments made by vehicle manufacturers.
How autonomy is achieved is almost irrelevant, it needs to be safe. With the potential to be far safer than humans, it’s equally important that our road and traffic authorities create benchmarks for automakers to meet, to determine how safe vehicles are.
Most cars now featuring electronic control units to control the vehicle’s movements, while also containing infotainment systems with online connectivity and more recently, even digital keys.
As cars become computers on wheels, they also become interesting to cybercriminals.
This year, a report from Wired showed that encryption flaws in an anti-theft feature meant hackers could clone millions of car keys for cars. There are other articles regarding the security of autonomous vehicles, with some ranging from weird fringe cases to absolute showstoppers, it is important that we distinguish between the company and product impacted and autonomous vehicles as an industry.
Think of the Samsung Note issue. At the time the phone catching fire, we all had phones in our pockets, but didn’t panic because they were made differently, from a different team, to different specs with different testing, so it wouldn’t be fair to paint all phone makers with the same brush. The same is true with autonomy.
There is no debate, the amount of data stored by the automotive industry is on the rise. Traditional car purchases were once-off transactions, you paid the money, you got the keys and you drove your new car out of the dealership, then paid as needed, for maintenance over the life of the vehicle.
Now we have a very different relationship with the supplier of our vehicle. Increasingly it’s coming direct from the automaker where we input our details to buy the car online. Once the connected vehicle arrives, we can buy vehicle upgrades and pay for recharging, all via an app on your phone. This typically means the automaker will be storing personal details like Name, Phone number, Address, and Credit Card details, along with your protecting your username and password that could also provide access to your car.
These details are key targets for hackers, evidenced by the ransomware attack this year on Australia’s car auction company, Manheim Auctions, which demanded the company pay $30 million to gain access to its files. Toyota Australia’s IT system was also attacked by cyber criminals in 2019.
Security company Kaspersky has examined several apps that control cars from various manufacturers for different reasons. These apps turned out to be vulnerable to attacks in one way or another.
“A car requires an approach to security that is no less meticulous than that of a bank account. Car manufacturers and developers fill the market quickly with apps that have new features to provide quality-of-life changes to car owners. It’s important for both the manufacturer and developer to think about the security concerns and the safety in its infrastructure.”
Senior Security Researcher, Noushin Shabab
It seems security can often become a lower priority in some orgnisations, with poor security practices fairly common. In one example, the mobile app, stored the credentials for an account in plain text, meaning if the phone was infected with a trojan, it’d be trivial to gain access to this user’s account.
Transportation is a massive industry with big budgets, making it an ongoing target for increasingly sophisticated attacks. Manufacturers have complex production lines and high levels of automation combined with precision techniques, test data, and thousands of employees. This means security is a real challenge for these organisations and certainly not their core competency.
While most of us think of Kaspersky as the provider of security products in the enterprise and consumer worlds, they are going deep on automotive.
3 years ago, Kaspersky established a transportation unit and has been working closely with major players in the autonomous vehicle space to ensure security threats and risks are considered at the outset.
The company is even has something called software technologies like Kaspersky Automotive Adaptive Platform, Kaspersky Security for ECUs and Secure communication unit running KasperskyOS.
“The latest regulation by UNECE WP.29 will change the automotive industry to think about placing cybersecurity at the forefront of their designs and innovations.
Decision makers will now have to think about cyber security from the very beginning when deciding to incorporate new layers of emerging technology to transport systems.”
Evgeniya Ponomareva, Business Development Manager at Kaspersky
Kaspersky has had a long-standing relationship with Formula 1 team Ferrari. The category’s intense competition requires ongoing massive investments in innovation and requires new parts and IP to be developed and delivered to the race track securely. Given the sensitive nature of the data both from the race and from vehicle development, cybersecurity is a key focus for Ferrari and that’s where Kaspersky helps.
Vicky Piria is famous for racing in the W series, an all-female single seater racing championship. Piria is also a Kaspersky Ambassador and also works with the FCA Group where she is involved in test driving.
“When I road test cars, apart from driving with an intuitive feeling, it’s also based on something I can see. For example, technology helps to identify and develop traction control.
Here, I can see a security system of a car that doesn’t work Kaspersky and Ferrari: building cyber-immunity for a world-class brand because of a failing traction control. However, at the same time, the only way to understand the problem and resolve it is ultimately to drive the car.”
Kaspersky Ambassador and Race Car Driver Vicky Piria
As we walk, or perhaps run towards an electric, autonomous future, it’s important to prepare ourselves, our businesses and particularly the expectations of the vehicles we drive and will ultimately ride in.
Here are 3 ways to start practicing cyber-awareness habits:
1) Go back to basic cyber 101.
Software and services in 2020 are almost all connected to the internet. It’s important that you use a strong, complex password and don’t give out the credentials to anyone else, or use the same details for your vehicle account, with any other account.
2) Car ride share apps.
Don’t put your main credit card information on your car sharing apps. Instead, use a separate card for transactions when taking car ride shares or other types of public transport.
3) Enable MFA
It’s likely you already use Multifactor authentication with some of your accounts for banking, email etc and wherever possible, it’s a great idea to enable MFA. This means access to your account is protected by not just a username and password that can be guessed through a brute force attack or found through malicious software and unecrypted details.
Where MFA differs is that it also verifies the authentication (login to an app or website) is being performed by you, by sending you a unique code. This can come in the form of an SMS, but a safer tecnique is to configure an authenticator app like Google Authenticator, or Microsoft Authenticator, available for free for both Android and iOS. Without access to your device, the username and password are not enough to access your personal details.