I was surprised to see a big feature story over at CNN.com this morning – given that the security of connected vehicles has no obvious link to LA Clippers owner Don Sterling, the on-going shakeup at the Veterans Administration or a tornado or other natural disaster. Still – there it is: “Your car is a giant computer – and it can be hacked.”
The feature, by Jose Pagliery is solid enough – though it doesn’t break much new ground. He mentions the research by Chris Valasek and Charlie Miller at The Black Hat Briefings last year. He also talks to the folks over at Security Innovation.
[Want more on security and connected vehicles? Check out our video: Insecure At Any Speed: Are Automakers Failing The Software Crash Test? ]
The big take-away: automobiles are rife with old and outdated software and hardware, much of it lacking even basic security features like secure communications and authentication controls. At the same time, automakers are moving quickly to add Internet connectivity to their vehicles, creating the environment for a lot of badness.
Vehicle makers and their suppliers both recognize that. But absent government regulation or cross industry standards that govern the security of connected vehicles, automakers and their suppliers appear to be going their own way: securing their own components against likely attack vectors, even if that component will be deployed in a vehicle that does not offer much in the way of a secure operating environment.
Specifically: Pagliery quotes Scachin Lawande of automobile entertainment supplier Harman Kardon saying that the company is “adding its own layers of security by using software to virtually separate the entertainment system from the car’s network.” The virtualization will make it harder for an attacker to hop from the public-facing entertainment system to critical systems on the CAN (Controller-Area-Network) like the car’s steering or braking system, he said. “The assumption we’re making is that it’ll take a while for the auto industry to move to a more secure internal network than what we have today,” he said.
He also notes that the auto parts supplier Continental is partnering with IBM and Cisco to make in-automobile firewalls.
Expect a lot more stories about connected vehicles and security this week, when experts in the field of Telematics will be gathering in Detroit for a major conference. Telematics, obviously, is a broad term that describes what you might consider “car networking,” and comprises both in-vehicle entertainment and critical systems. Increasingly, wireless and Internet-connected services are part of the story, and the list of companies at the show now includes Silicon Valley and telco giants like Google and Verizon, in addition to more traditional auto makers and suppliers.
Stay tuned for more coverage of Telematics Detroit this week from Security Ledger!