By Matt Hamblen
One of the big worries about new Internet-connected cars and trucks and future self-driving vehicles is how vulnerable they might be to cyberattacks.
Car manufacturers install Engine Control Units (ECU) inside many vehicles, which can be vulnerable to attacks. A hacker could potentially take control of a car radio and quickly turn up the volume or turn off the headlights at night or even steal data from a smartphone connected to the car. The worst scenario might be from a hack on a car’s powertrain.
“There are very serious cyberthreats to connected cars,” Gartner analyst Avivah Litan told me. “They can take the form of terrorism, sabotage, disruption, deliberate human injury or murder–and more.”
Jack Gold, an analyst at J. Gold Associates, said the subject of hacking cars needs more study. “The good news is that it’s hard to hack a car given it’s not standing still most of the time,” he said. “But with more wireless connectivity, it gets easier to connect and potentially affect systems in the car.”
Major security companies are working with carmakers on solutions. At CES 2018 here, many U.S. and European carmakers displayed their latest vehicles with a push for all the conveniences of touch and voice-controlled consoles and functions. The security included in the display vehicles was harder to demonstrate.
One company that stands out in defending against cyberattacks on cars is Cymotive, a joint venture between Volkswagen and former Israeli intelligence agents who are skilled at pre-empting such attacks, Litan said. Auto system vendors like BlackBerry QNX, Samsung, Harmon, Delphi and others all have programs to secure cars, Gold added.
At the Bosch booth at CES, officials described their latest EScrypt intrusion detection and prevention for vehicles. EScrypt is a subsidiary of the German electronics and engineering company, first acquired in 2012. Frank Sgambati, Bosch’s director of smart city business development for North America, said Bosch is talking to car makers about integrating Escrypt into vehicles, but didn’t name any. Bosch has a deep background in automobile electronics. The company first began making semiconductors for use in automobiles 50 years ago.
EScript’s Intrusion Detection and Prevention Solution for vehicles, introduced last year, detects cyberattack attempts and automatically forwards the data wirelessly to experts for forensic analysis. The experts can then define and provide security updates with countermeasures.
Bosch’s approach uses an embedded firewall called CycurGate to immediately block access to ECUs. There’s also new software for intrusion detection called CycurIDS, which monitors data traffic. Then a software product called CycurGuard analyzes and sorts attack patterns to help experts decide on countermeasures, which can includes adjusting the car’s firewall or closing loopholes in the ECU’s that are affected through work with the ECU manufacturers.
Security updates are sent over the air via a secure channel and are protected with digital signatures. EScript also makes a key management system called CycurKeys.
Protecting against cyberattacks in connected vehicles is going to be a huge ongoing concern. Just about everybody in the auto and security industries is busy working on solutions and it will be something for CIOs to watch and evaluate.