Security experts have warned that it will take up to three years before car manufacturers start to produce vehicles with strong security protections built-in as standard – even as major brands accelerate development on vehicles chock full of tech-savvy features that are connected to the internet.
The warnings come following a joint investigative report produced by International Data Corporation (IDC) and commissioned by security firm Veracode, who conducted interviews with a slew of car manufacturers including Fiat-Chrysler, Scania and Seat to judge the current state of the 'connected' industry. The research found that current privacy and security standards are not in line with the known sophistication of hackers and cybercriminals and warned that it may take years to catch up.
"While automotive manufacturers are well aware of the issues relating to physical security for the connected car and liability thereof, the cybersecurity issues are less understood," the report warned. "This is new technology and the strategies for addressing these issues are still being formulated.
"The industry is just beginning to debate cybersecurity issues surrounding connected cars. Manufacturers [said] that it will be one to three years before connected car systems are implemented with full consideration of such concerns. The question for manufacturers is whether this is realistically feasible given the challenges ahead and the rate at which applications are being developed today."
As many carmakers are beginning to realise, the threats out there in the real world are vast. In one landmark demonstration last year, two security researchers were able to hack into the 'connected' dashboard of a Jeep Cherokee and take control a range of functions including door locks, steering, transmission, air conditioning, locks and brakes. Following this revelation, Fiat-Chrysler was forced to issue a formal recall for 1.4 million vehicles in the US.
"Exposing a car to the internet makes it vulnerable to cyberattack due to poorly written software, which could render the car unstable or dangerous," explained Chris Wysopal, chief technology officer at Veracode. "Building a secure application development programme is a significant challenge for manufacturers, which is compounded by the need to do so under the microscope of government regulated safety standards and liability concerns."
"What we're seeing happen in the auto industry is a microcosm of what's happening in financial services, healthcare and virtually every other sector – applications are not created with security in mind, creating a major area of risk."
Hacking, regulation and the Google problem
Yet the technology is here to stay and will eventually have long-term implications not only for manufacturers but also government and law enforcement, the IDC report argues.
"For vehicle manufacturers, the issues go beyond automotive design and safety to determining what impact becoming a software and application provider will have for their overall business," it states. "While manufacturers have been dabbling in embedded software systems design for some time, building an application development team able to compete with the likes of Apple or Google is a significant challenge. Doing it under the microscope of government regulated safety standards and liability concerns is another.
"The ability for drivers to download software to navigate, park, communicate, conserve fuel, self-park, or other driver enhancements will revolutionise the automotive sector. Yet exposing a car to the Internet makes it vulnerable to cyberattack or malfunction due to glitches caused by poorly written software — either of which could render the car unstable or dangerous."
Imagining the real dangers involved with connected – and even driverless – cars is not difficult. In one recent example, a Nissan was forced to disable the NissanConnect EV smartphone app for its 'Leaf' range of vehicles after hackers successfully took control of the electric car using the app.
"The positive implication from our research is that the market for downloadable applications is large, spanning the entire market of drivers of all ages and genders. Manufacturers should increase their focus on how to secure applications that enhance car functionality, such as the many driving aids currently being developed," said Duncan Brown, research director at the IDC. "Manufacturers cannot afford to be complacent when it comes to application and overall system security within vehicles."