Connected vehicles are a big new area of investment. We saw evidence of that at the recent Consumer Electronics Show (CES) and we’re hearing a lot more about it this week, as carmakers strut their stuff at the North American International Auto Show.
Security isn’t generally part of the conversation, but as we’ve noted here on more than one occasion: connected vehicles introduce a myriad of challenging security problems, from authentication to communications and system integrity, not to mention data privacy.
[Read more Security Ledger coverage of connected vehicles here.]
Now networking giant Cisco says that it sees a role for its technology in protecting vehicle area networks (VANs), just as the company’s networking equipment enabled and protected local and wide area networks (LANs and WANs) over the last two decades.
In a blog post, Cisco said it is rolling out “a range of products and services” that it is calling “AutoGuard.” The technology will perform a number of security functions that are now common on PCs and other multi-purpose endpoints, but that have been missing from connected vehicles. Among them:vulnerability detection and other Vehicle Area Network security functions. Cisco said it wants to support realtime, over the air updates for vehicle ECUs (electronic control units) that could obviate trips to a service garage or expensive vehicle recalls.
Looking further into the (extensive) automobile supply chain, Cisco said it will also be working with Original Equipment Manufacturers (OEMs) to make their components capable of supporting what Cisco calls ‘security mechanisms.’ Those mechanism will include authentication and integrity checking for third-party components in vehicles and a “secured applications framework” (read: app store) that would allow third-party apps to integrate with a vehicle infotainment system without compromising driver safety and privacy.
The evolution of automobiles from (mostly) disconnected hunks of steel and fiberglass to always-connected intelligent devices is already well underway. Elon Musk’s cutting edge electrical vehicle firm Tesla has already pioneered the ‘over-the-air’ update to its fleet, beginning with a software update in September, 2012. Following scattered reports of fires caused by Tesla vehicles, the company in pushed out a software update that tweaked the suspension of Tesla cars, giving the vehicle a bit more ground clearance.
Google and leading car makers announced that they are is collaborating to bring its Android mobile operating system in vehicles, and the day may not be long off where car owners can buy or even rent add-on features with the ease of adding a new app to your iPhone.
With such interactivity mushrooming on connected cars, some measure of security and privacy is warranted. However, automobiles present a number of challenges to security software makers that don’t exist on multi-purpose endpoints like PCs and servers.
In an episode of Talking Code last year, Chris Wysopal, the CTO of Veracode, noted that automakers need to expand their thinking beyond vehicle safety to vehicle security, which requires engineers to imagine a likely adversary. But, Wysopal added, true application security is a much broader problem that takes into account the “failure modes” of the software and how they could be exploited to gain control over the operation of a system.
Stay tuned for more!