Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


A ticking time bomb we may just prevent from going off…

Automakers are crossing their fingers and hoping that connected cars will not be attacked.  They refuse to work together and instead are moving forward with a multiplicity of security strategies which will be weaker than not going down the standards route.

Automakers are being all too slowly drawn to modern security techniques to plug the security holes in connected cars. Riot questions whether that transition can happen swiftly enough to avert potential disaster.

There are already tens of millions of vehicles in the US which are connected via LTE or other cellular connections to the internet, opening them up to a straightforward IP attack. As the attack surface grows, closing in on 100 million cars, they make a more tempting target for organized crime, nation state attacks, terrorists, and random hackers.

The simple question is can the major automakers make them truly safe, before someone mounts a successful attack – whether that is one car at a time, or a fleet of hundreds of thousands at once.

In this paper, titled Automotive Cybersecurity: A ticking time bomb we may just prevent from going off, Riot takes an in-depth look at how professional security businesses are trying to steer automakers towards safety, and asks how many more years before they will be reasonably well protected.

But in this investigation Riot finds that automakers are not going down the obvious route of agreeing a standard, and moving rapidly towards its implementation in their next generation of connected cars.

Instead each of them is attacking the problem their own way, on their own turf, moving towards a new security architecture one step at a time, with each using a variety of techniques, from long encryption keys, deep packet inspection, virtual signatures, and daily over-the-air (OTA) updates.

Much of it owes something to Private Key Infrastructure (PKI), but not all of it, and each of them is looking at systems like ARM Trustzone to define a safe hardware Root of Trust (RoT). This approach will mean there is more room for more suppliers in the short term, but could just as likely mean that some automakers will remain vulnerable for some time to come. The lack of progress among some smaller car makers is quite frightening.

In the long term it is likely that the eventually successful security system will be open source, as much because Chinese companies refuse to rely on proprietary US systems which they have to license, or vice versa.

But most car makers already understand that they must separate network traffic into different domains, in a manner very similar to current techniques used in enterprise networking.

So as the automotive industry is entering what is a difficult transition period, it is still years from a standardized approach to securing vehicles in a hyper-connected world and the clock is ticking. If one vendor manages to defend his turf, at the expense of a standardized approach, the mayhem around a single destructive hack of any car, even a rival brand, will still create industry-wide hysteria.

This puts us in mind of the early cellular industry, before the GSMA took control and standardized everything.

And yet across the entire ecosystem, multi-layered services are all preparing for industry-wide launch – first in the US, and then more broadly.  These range from generic navigation, in-car entertainment services, to safety, such as vehicle location services and remote restart.

Today we are at the beginning of such services and a handful of brands have truly useful car services, which currently extend to only a single-digit percentages of their owners. But expectation is high that a wider gamut of driver, owner and manufacturer services are just around the corner.

The more beneficial such services become, and the more widely they are installed, the more likely they are to be attacked, either to disrupt revenue or ultimately as a route into remote physical control of a vehicle.

What follows are the accounts of security stakeholders in the automotive industry, capturing perspectives from suppliers – because the automakers themselves collectively declined our repeated requests for interviews. This is another case of security by obscurity, a strategy the technology industry knows has never worked – by keeping all their thoughts about security a strict secret.

The real route to security is through open standards, which can be hardened by a wide base of users finding different attack vectors during the standardization process, and then sealing such exploits, in the same way the humble SIM card came about.

Continue Reading

Recent Posts