Here's how engineers can safeguard cars from hacking
Brian Jones | November 12, 2024Today’s vehicles continue to evolve rapidly, with increasing connectivity features being added daily. From the onboard diagnostic systems to advanced telematics platforms, vehicles integrate seamlessly with cloud-based services and external devices. Connectivity extends beyond simple navigation, Bluetooth and entertainment, enabling over-the-air updates, remote diagnostics and real-time tracking. While vehicle-to-everything (V2X) communication and advanced driver assistance systems (ADAS) enhance efficiency and safety, there are also some unique challenges, the most important being privacy concerns and cybersecurity risks.
Considering that by 2025, more than 10 million vehicles will be capable of short-range V2X communication, it’s time to think about the next steps. In just the past few years, from 2018-2023, automotive hacks increased by about 225%, with remote attacks accounting for about 85% of all breaches, according to an Upstream Global Automotive Cybersecurity Report. As connectivity expands, addressing these obstacles becomes paramount to ensure safer, more secure transportation in this digital age.
Understanding the threat landscape
Before assessing how to protect cars from hacking in the future, the pitfalls must first be examined. As connectivity and reliance on electronics increases, connected cars become more vulnerable to cybersecurity threats. The most obvious threat may be remote hacking, with vulnerabilities exploited in the software or communication systems to gain unauthorized remote access to the vehicle. Once assessed, the hackers can manipulate critical functions, even to the extent of braking, acceleration and steering. The hacker can use this threat for ransom, demanding something from the owner to regain control of their vehicle. There’s also a concern with the control that is given when a hacker gets into a commercial fleet account, disrupting transportation and damaging the company’s reputation.
Malware and viruses become a concern when malicious software infects an onboard computer or infotainment system through cellular networks, Wi-Fi connections and USB ports. This malware could facilitate unauthorized access by hackers to steal sensitive information, leading to identity theft.
Denial-of-Service (DoS) attacks now extend to transportation, overwhelming the communication network or systems of a vehicle with a flood of information, rendering some critical functions unusable and causing disruptions to service. DoS attacks could stop drivers from accessing essential services like emergency assistance or navigation.
Hackers can also intercept communications between the vehicle and external networks. This hacking gives away the vehicle’s location and the occupants. Stalkers and other reprehensible characters could exploit this surveillance, leading to a massive threat to everyone’s safety.
In 2023 alone, more than 353 million people were affected by data compromises. This threat has become even more alarming with the rise of connected cars that collect and transmit personal information, vehicle diagnostics and driving habits. Consider also the unspoken threat of rogue contractors and employees accessing a car’s systems. These insiders could abuse privileges given to them to steal private information, facilitate a cyberattack or sabotage vehicles.
Real-world hacking examples
The more technology is introduced, the higher the treats become. Yet, so many events have already played out before our eyes. Consider these examples from the past decade.
Tesla Model S (2016): Tencent’s Keen Security Lab revealed a remote hack of the Model S that allowed manipulation of several vehicle functions, such as operating the infotainment system, opening doors and activating the brakes with the car in motion. Tesla immediately responded with some over-the-air updates to address the vulnerabilities.
Ford and VW (2020): The consumer group Which? uncovered some vulnerabilities in the Volkswagen Polo and Ford Focus internet-connected systems that could allow hackers to steal personal data and access vehicle management. The hack was possible through a command disabling the traction control system, allowing access to the infotainment center. Ford vehicles were also found to have a weakness that allowed the hacking of tire pressure monitoring systems, tricking drivers into believing they had a flat tire, so they pulled over, which is a huge safety risk.
Luxury car heist in London (2022): Beyond hacking a particular brand, criminals used specialized equipment to gain access to 25 luxury cars in London during one night. They bypassed the keyless entry system and disabled GPS trackers, leading to a loss of more than £3 million.
Key technologies for securing connected cars
With so many threats present, companies worldwide are scrambling to find solutions. While the foundations have all been set to prevent disasters, more work must be done. Here are a few technologies that must be well-established to secure connected cars.
Encryption and authentication
Encryption is the process of converting plaintext data into ciphertext through cryptographic keys and algorithms. This process leaves the information unreadable by unauthorized users. Working hand-in-hand is authentication, which is the process of verifying the identity of the users before providing access to secure files.
Both encryption and authentication need to be used if manufacturers hope to secure data transmissions and communication channels between the car’s components, including the sensors, external networks and onboard computers. With encrypted data en route, eavesdropping, unlawful access and tampering are prevented.
Currently, several types of encryption can be used. Many people are familiar with symmetric encryption, which uses a single shared key for encryption and decryption. It’s critical not to overlook asymmetric encryption, also known as public-key cryptography, which utilizes both public and private keys for encryption and decryption. This process allows for secure key exchange and authentication with the required pre-shared secrets. Otherwise, transport layer security (TLS) would be used. This protocol provides encryption and authentication for network communication, offering secure connections between the external services and services and the connected components.
Authentication also comes in several forms, with password-based methods being the most common. With a password to authenticate identity, the credentials can be set up to meet a certain level of difficulty, making it harder for hackers to bypass. Biometric authentication is also popular with fingerprint and facial scans or voice control to determine the user’s identity. Certificate-based measures use a digital code to verify the device or user, yet the safest method is multi-factor authentication (MFA), which requires multiple forms before giving access, such as a combination of biometrics and a password. Some vehicles already use two-factor authentication with the key fob. As the driver walks toward the car, a chip in the key fob identifies the person, unlocking the car. With that same key fob, the car can be started, checking for the chip twice. Several cars can also be operated through an app, which requires additional authentication.
Intrusion detection and prevention systems (IDPS)
IDPS use software to monitor the events happening in the network or computer system. This software analyzes the information for signs of hacking or intrusion. Cyberattacks and security breaches can be stopped in real time with this monitoring. IDPS solutions generally have a combination of anomaly and signature-based detection with behavioral analysis programming to detect and reduce potential vulnerabilities or threats.
IDPS may detect suspicious behaviors from increased traffic during hacking or malware infections and report them to the cybersecurity team or manufacturer so they can take action. IDPS can also be combined with security information and event management (SIEM) systems to correlate events and analyze the threats. This combination will prove valuable in future forensic investigations.
Garrett Motion is one company looking to perfect the technology, yet false positives could occur from benign activities or misconfigurations. The technology must also continue adapting to meet new threats, requiring frequent updates and security patches.
Over-the-air (OTA) updates
Car manufacturers have used OTA updates to deploy software updates and security patches, but they are going to be even more valuable in connected cars. By remotely delivering the updates needed to connected devices, manufacturers can provide quick bug fixes and patches to secure the systems. Updates are sent via Wi-Fi connections and cell service, so emerging threats are dealt with promptly. OTA updates may also allow for customer feedback, reducing the need for additional service visits or recalls.
To securely send OTA updates, encryption and authentication are necessary. Otherwise, there could be exploitation and tampering of the information. It’s also difficult to send or receive OTA updates when there’s a lack of reliable networks. Those living in remote areas with limited network coverage may be more vulnerable to attacks and hacking.
Hardware security measures
While the main focus of security is going to be software-related, the hardware aspect should never be overlooked. Hardware-based solutions provide physical safeguarding to connected cars and prevent unauthorized access. A secure boot mechanism verifies the authenticity of the software components and reads digital signatures that should match a trusted key set secured in the hardware. If this set doesn’t match, the process is stopped. This chain of trust prevents hardware from running if it has been compromised.
Finally, more physical tamper resistance mechanisms will be installed in connected cars. Some equipment used may include anti-tamper seals, intrusion detection sensors and specialized packaging to indicate tampering. These systems ensure unauthorized access doesn’t occur. GuardKnox is a company that continues developing cybersecurity hardware solutions for end-to-end protection in future vehicles.
Regulatory and industry initiatives
In closing, regulatory initiatives continue to shape the connected car landscape with new standards, best practices and guidelines for manufacturers to follow. The NHTSA’s Cybersecurity Best Practices for Modern Vehicles guides manufacturers about securing vehicle systems and reducing cybersecurity risks. The ISO/SAE 21434 also sets an international standard for automotive cybersecurity, with requirements for managing cybersecurity risks, while the cybersecurity handbook (SAE J3061) outlines the best practices for automotive cybersecurity risk management and engineering.
The future of connected cars is bright and exciting, but it’s never without challenges and obstacles that must be overcome. Cybersecurity must be a priority for all automotive manufacturers in this digital age if they are to protect consumers from fraud and exploitation.
About the author
Brian Jones is an ASE Certified Master Technician and owns a small business in the automotive industry. He is also an experienced technical writer.