Attacks or No, Security Firms Race to Connected Vehicle Market


In-brief: Security giant Symantec’s foray into automotive security is just the latest sign that the connected car market is the new frontier for cyber security firms. But a dearth of attacks and long development cycles may slow progress.

Cyber attacks on automobiles are all-but-unknown, but that isn’t stopping a slew of established technology firms and venture-funded start-ups from betting that security tools that make connected vehicles safe from hacking is the market to be in.

Anti virus giant Symantec is just the latest firm to trumpet new products and partnerships that promise to protect connected vehicles from cyber attack. But with few threats to speak of, and years-long product development and manufacturing cycles to contend with, it may be a while before security software and hardware is standard issue in connected vehicles, security experts say.

Best known for its Norton desktop security product, Symantec on Wednesday announced Symantec Anomaly Detection for Automotive, a product that promises to “protect against zero-day attacks and never-before-seen issues facing modern connected vehicles,” according to a statement by the company.

The company’s announcement coincides with a major vehicle technology trade show, TU Automotive, gets underway in Detroit.

Though security of software and hardware in vehicles has been a topic of conversation within academic circles for years, the remote, software-based attacks on a Fiat Chrysler Jeep Cherokee, demonstrated last summer by researchers Charlie Miller and Chris Valasek, drew a double line under the problem poor security on connected vehicle networks.

“If you look at the attacks from last summer where you had a car that was remotely attacked, the way it was done was to attack the CAN bus,” said Brian Witten, Symantec’s Senior Director for Internet of Things Security, referring to the Controller Area Network that connects critical components on the vehicle. “You had one module spoofing another – those behaviors show up as anomalies (and) automakers want to know about those things,” he said.

Symantec will make use of  machine learning and behavioral analytics technologies that it has developed or acquired. Witten said the firm has started doing deals with “top automakers” to have the Symantec technology embedded in new vehicles in the years ahead. 

Witten said the technology has the advantage of being adaptive – monitoring Controller Area Network (CAN) bus traffic, learning what normal behavior is and flagging activity that is unusual and may indicate an attack. The solution works with virtually any automotive make and model, and doesn’t rely on manufacturers to tell it what to look for, Witten said.

The company isn’t alone. A venture funded start-up, Karamba,  on Tuesday released Carwall, an in-car security software that secures electronic control units (ECUs) within connected cars against cyberattacks. David Barzilai, Karamba Security’s chairman and co-founder said that his company’s technology targets the wide range of embedded systems that can be found in modern automobiles, detecting malicious software and other “foreign code” that might run on ECUs. The product can also identify ephemeral “in memory” attacks that do not install on the embedded device, Barzilai said.

Other firms are targeting communications between vehicles and the outside world. The security firms Savari Inc. and Security Innovation said on Monday that they would collaborate on solutions to secure vehicle to vehicle (V2V) and vehicle to pedestrian (V2P) communications, as connected cars increasingly sense and respond to the world around them and use that information to avoid accidents or other hazardous conditions.

“The public and private sector that’s bringing V2X technology to market also shares the responsibility of ensuring that this data is secured through real-time message certificate validation,” the two companies said in a statement.

Connected vehicles, which include features like in-vehicle Internet access, navigation and roadside assistance, are becoming more common. The analyst firm Gartner estimates there will be 220 million connected cars on the road by the end of the decade.

But automakers have been slow to adapt to the security and risk implications of connected features, experts agree. In a March report (PDF), the U.S. Government Accountability Office (GAO) told Congress that modern vehicles feature many communications interfaces that are vulnerable to attack, but that measures to address those threats are likely years away, as automakers work to design more secure in-vehicle systems and regulators, like that National Highway Traffic Safety Administration (NHTSA) struggle to determine their role and the scope of possible regulations. In the private sphere, groups like IAmTheCavalry have recommended a five-star rating system for vehicle security, which would put information security on par with other safety features that consumers value and show a preference for.  

Still, a lack of progress in recent years and long product cycles means modern vehicles are still easy pickings for security researchers. When researcher Ken Munro of the UK firm Pen Test Partners recently went to the Japanese automaker Mitsubishi with information about exploitable vulnerabilities in a wireless hotspot deployed in late-model Mitsubishi vehicles, he said the company wasn’t prepared to receive the information and struggled to understand the import of Munro’s findings. “They didn’t ask me what I did. They kept asking me why I did it,” Munro said. “I didn’t really know how to answer that.”

After hitting a dead-end with the car maker, Munro’s firm approached the BBC with his findings. Only then was Munro able to get the attention of Mitsubishi, which is now working to quickly address the security vulnerabilities he identified.

Craig Smith, an independent researcher who is the author of The Car Hackers Handbook, said that the automotive industry poses significant challenges for security firms and car makers alike. “When you design a vehicle, you’re looking at five years from concept to release,” Smith said. The security products being introduced today may not be in use for years.  “I think that’s why you hear security researchers beating the drum to get on this,” he said.

While demonstrations of software-based takeover of critical vehicle systems like the hack of a Jeep Cherokee in 2015 are dramatic, Smith said that vehicle owners should be just as concerned about efforts to steal and misuse the data collected on smart vehicles, he said. Companies focused on protecting revenue streams from in-vehicle data need to be balanced with driver safety, privacy, civil liberties as well as “tinkerers” who want the freedom

Munro sees the issues facing automakers as an outgrowth of security issues facing other industries as well. Embedded devices sporting Internet connections are subject to the same kinds of attacks and privacy concerns as traditional technology assets like server and desktop computers, but embedded device makers often have far fewer resources and less experience addressing security issues than firms like Microsoft, Adobe and others.

Still, securing vehicles and other embedded devices present different challenges than PCs and servers, among them: small, rugged and resource constrained devices as well as a variety of embedded and real-time operating systems (RTOSs).

Munro said that, given those constraints, add-on security products may have more limited appeal.

“(Security) is a thought process – a design process – not a product process,” he said.