Guidance For Connected Vehicle Security

“In the near future, connected vehicles will operate in a complex ecosystem that connecting vehicles not only with each other and the traffic infrastructure, but also with new forms of connectivity and relationships to cloud-based services, smart homes, and even smart cites,” said Brian Russell, chair of the CSA IoT Working Group

“For a safe and secure transportation system, the community must take a fresh look at the larger picture, and develop the policies, designs, and operations that incorporate security throughout the development.”

Automobile connectivity today is evolving on a number of fronts. Platforms designed in the pre-connected era are now being connected in multiple ways. This has allowed security researchers to gain access to sensitive vehicles.

Sensitive functions can be compromised via direct access, such as with USB and the On Board Diagnostic (OBD-II) port, or by remote access such as infotainment consoles, Bluetooth, WiFi and cellular devices.

One of the more interesting topics for conversation at RSA Conference 2017 in San Francisco this year was the IoT and the next generation of ransomware. After all, if you can make money encrypting people’s hard drives (and you can, a LOT of money,) then surely the explosion of smart devices could offer the ingenious criminal even more opportunity to make money fast.

So how does this change how we think about things like ransomware? After all, it’s not likely that we’ll see weaponised encryption techniques holding data hostage when most of the IoT devices are more likely to be throwing data back up to some service as fast as their little wireless card will let them. What is more likely is that attackers will hold them hostage, by shutting them down, making them disappear, or turning them into, well, evil.

For example, the story of the hotel in Austria who discovered that smart door locks are great until someone else controls them, and they want money to let the guests back in. Not good – especially when you have hundreds of angry guests wanting to go to bed.

This kind of Denial of Things (DoT) attack is going to be increasingly effective as the IoT becomes more and more embedded in the fabric of our homes, offices, and cities.

Consider, for a moment, the 15 million+ trucks in the US. Autonomous trucking is clearly on the horizon, yet imagine the social and economic impact if one day those trucks simply stopped. An attack on autonomous vehicles like trucking doesn’t have to be some kind of science-fiction scenario to be devastating.

Rather, as autonomous trucks (or any other vehicle) become a reality, they are likely going to be highly connected to management systems, tracking systems, smart infrastructure, freight tracking systems, and so on. In short, an attack surface, the size of an 18-wheeler. The only thing an attacker would have to do is simply tell them to stop. All at once. And then brick the system, so that it takes a lot of time and effort to clear the roads and get them moving again. Imagine millions of trucks simply grinding to a halt across the country. Think your morning commute is bad? It could get a whole lot worse.

Of course, I understand that this may be far easier said than done, and that all kinds of safeguards will be in place to prevent this from happening. That the trucking industry and autonomous vehicle manufacturers will take security very seriously. 

Nevertheless, let’s be under no illusions that the explosion in devices will offer up countless opportunities to inflict cost, discomfort, and possibly actual physical danger to users and innocent bystanders alike, and controlling that risk will bring with it monetary value.

As usual, the good news is that we’re not there, yet. But “there” isn’t very far from “here” and the attackers know it. This kind of attack isn’t just the kind of thing that commercial hackers would be interested in, either. Far from it – the level of impact rises quickly to be something a non-too-friendly nation state would be interested in, also. Pretty soon those “kinetic IoT” devices become part of the critical infrastructure, and should be treated, and regulated, as such.

Taking control of such complex and deeply intertwined systems will be a tempting target that we need to plan to protect, and force protection of, at the Federal Government level. Otherwise turning the entire US road system into a giant, perpetual truck stop is going to be available at the flick of a switch.

HelpNetSecurity:             HelpNetSecurity:

You Might Also Read: 

Hackers Could Turn Off Your Car Engine – While You Are Driving:

 

« Employees That Cause Data Breaches
How Social Media Influences Elections »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Assure Technical

Assure Technical

Assure Technical offers a holistic approach to Technical Security. Our expertise and services span across the Physical, Cyber and Counter Surveillance domains.

Fieldfisher

Fieldfisher

Fieldfisher's Technology, Outsourcing & Privacy Group has class-leading expertise in privacy, data & cybersecurity, digital media, big data, the cloud, mobile payments and mobile apps.

Cybereason

Cybereason

Cybereason provides attack protection with cutting edge EDR and XDR, and industry recognized consulting services to support organizations throughout any stage of the incident lifecycle.

Modux

Modux

Modux focus on a number of core competencies across cyber security including; cyber intelligence & analytics, penetration testing and training.

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

La Fosse Associates

La Fosse Associates

The InfoSec Recruitment team at La Fosse Associates specialises in placing Information Security & Risk professionals on a permanent and contract basis.

Cyway

Cyway

Cyway is a value-added cybersecurity distributor focusing on on-prem, cloud solutions and hybrid solutions, IoT, AI & machine learning IT security technologies.

L3Harris Technologies

L3Harris Technologies

L3Harris Technologies is a global aerospace and defense technology innovator, delivering solutions to meet mission-critical needs across air, land, sea, space and cyber domains.

Binary Security AS

Binary Security AS

Binary Security is a Norwegian information security consultancy company. We are specialists at application security, penetration testing and secure code reviews.

AEWIN Technologies

AEWIN Technologies

AEWIN is professional in the fields of Network Appliance, Cyber Security, Server, Edge Computing and an ODM/OEM expert.

FiVerity

FiVerity

FiVerity provides financial institutions with cyber fraud defense to combat a dangerous and growing threat - the convergence of fraud-related theft with sophisticated, high-volume cyber attacks.

Aegis Security

Aegis Security

Aegis Security helps clients to secure their systems against potential threats through pre-emptive measures, such as security assessments, and cutting-edge solutions to security challenges.

Schneider Downs

Schneider Downs

Schneider Downs & Co. provides accounting, tax and business advisory services through innovative thought leaders who deliver their expertise to meet the individual needs of each client.

Upstack

Upstack

UPSTACK - One partner, end-to-end expertise, helping develop the solutions you need – when you need them.

Single Point of Contact

Single Point of Contact

Single Point of Contact is a Managed IT Services provider that helps businesses to achieve a seamless and secure IT environment.

ABPSecurite

ABPSecurite

ABPSecurite is a leading value-added distributor and a network performance solutions provider.