By David Chiu, Director, Product Marketing, CA Technologies
With their high-stakes emphasis on precision sensors and artificial intelligence, self-driving features tend to grab the spotlight when it comes to automotive technology. But behind every new vehicle that rolls off the line–autonomous or not–is a far more mundane capability that nonetheless plays a critical role in delivering the experience that today’s drivers expect–the vast network of services that makes up a connected-car ecosystem.
Actually, the term “autonomous vehicle” itself is a bit misleading, because few pieces of modern technology rely more heavily on constant, reliable, and ubiquitous networking than a connected car. From basic entertainment, navigation, and mobile connectivity to diagnostics and remote operation, automotive connectivity requires manufacturers to integrate millions of lines of vehicle code with a broad range of APIs from industry, service, insurance, government, and technology partners.
Over the next few years, in-car telematics will expand even further to include early implementations of vehicle infrastructure integration (VII), which will for the first time allow direct machine-to-machine communication between vehicles on the road, and possibly sensors in the road itself.
Today’s vehicles are data centers on wheels, and any vehicle component that communicates externally is a potential attack vector for hackers
This growing number of API endpoints–which have increased in scope and criticality from entertainment and navigation to mission-critical driving features–creates a staggering number of potential security, privacy, and public safety vulnerabilities that automakers will have to address in the coming months and years. Today’s vehicles are data centers on wheels, and any vehicle component that communicates externally is a potential attack vector for hackers.
While network and API threat protection have been top of mind across many industries from retail to finance, security experts estimate that many automakers are up to three years behind other verticals in their understanding of how to prevent these types of cyberattacks–despite the fact that such breaches could result in life-threatening public safety issues. Over the past several years, research has demonstrated security weaknesses across many vehicles from a range of manufacturers. In one highly-publicized example, WIRED magazine, in conjunction with white hat hackers Charlie Miller and Chris Valasek, were able to seize control of an SUV that was speeding down a St. Louis highway over ten miles away.
Although the use cases and applications in a connected car ecosystem are somewhat unique to the auto industry, the underlying threat protection patterns required to secure them are not.
Just like any other vertical that needs to integrate and expose sensitive data to mobile endpoints, vehicle manufacturers must effectively create, deploy and manage connectivity points in the form of APIs, protect them against attack or hijack, provide seamless access for authorized users, and optimize the speed and reliability of transactions.
Established protocols and patterns (such as building end-user authentication with OAuth and Single Sign-On into mobile apps to access vehicle features) should be considered the bare minimum to ensure that the security and privacy of vehicle owners are protected. While this may seem obvious, just last year a major automaker had to temporarily disable its entire mobile app program after security researchers discovered that one of its APIs could be used without any authentication–just a VIN and basic web request–to take control of vehicle functions anywhere in the world.
As the connected vehicle market accelerates beyond $100 billion next year, and more mission-critical capabilities such as autonomous driving are added to feature lists, automakers and their technology suppliers will need to ensure that they address the inevitable vulnerabilities that will arise as the threat vectors expand. Doing so will require a major paradigm shift at automakers, who will have to treat cyber and network security exactly as they would engine controls, airbags, brakes, or any other major vehicle system.