www.pecb.org

Are we going to have security issues on connected cars?

2

It has been over a century that society is using one of the greatest inventions of everyday life which are cars. Their industry is one of the largest in the world and one of the most profitable sectors, which has made a huge number of people not just use their cars for everyday needs but to fall in love with them.

This may sounds strange, but it is true, there are a lot of people that basically love metal and other materials which are used to produce cars. It seems that their admiration will enhance more because car industry is not just sticking with driving processes, continual achievements of technology have brought smart innovations in cars also.

Thanks to this, in less than one year from now 25% of cars will be connected to the internet and just two years later, by 2017, more than 60% of them will end up the same. This means that very soon a huge number of people will have internet access even while they are driving. What is going to happen? We are going to see more and more "smart" cars with incorporated Bluetooth, radio and GPS systems, wireless and satellite systems and advanced touch screen in front, etc., moreover, a possibility to exchange data among cars, cars to roadside equipment, and car–to-mobile devices. As a result, drivers will face enormous number of services, applications and cooperation with different systems.

Sending information to one another, cars will be able to reduce problems like traffic jam and road blockage, then by using crash-avoidance applications cars will have more wheel control which would reduce accidents. Furthermore, location based services will enable promotion advertisements; locate nearest restaurants, gas stations, hospitals, etc. In addition to this, checking e-mail, news headlines, connecting to social networks like Facebook and Twitter, and access to home safety systems, see weather updates, downloading music are now part of modern cars, and lots of other applications are to come. In recent years, the idea of modern cars with internet connection is taking off. These ideas have derived from continual improvements of technology, which of course have influenced carmakers, eventhough they tend to lag behind the latest technology. Besides software developments and smart ideas about different applications, there are various different hardware technologies which enable all these developments.

The fact that the car itself is a complex system, its inside has distributed computer systems comprising millions of lines of code executing on tens of heterogeneous processors with rich connectivity provided by internal networks. From the outside there are a lot of systems which make internet connection possible. Some of manufactures have achieved this by making smartphone access possible in the cars, or wireless USB adapter, some of them are using Autonet Mobile router which connects to the Internet through a 3G or 4G cellular connection, etc.

All this brings significant benefit to the car manufactures, application developers and telecommunication companies, but it brings something else as well, new jobs and opportunities for attackers!

So at the same level that involved people in this process, the same process is optimistic for the future of modern cars, they are concerned about car security issues or better to say car resistance to cyber-security threats and vulnerability. Is this just a concern or something more?

There are already some famous car brands which are considered vulnerable to get attacked by hackers, so the idea of this phenomenon is already a fact.

According to experts, hackers could do anything by having access to radio part with short-range and long-range wireless access. This would give them the ability to install so-called malware and have remote access on car's network wirelessly. As a result they could manipulate the GPS system and track the car, influence slamming on the brakes, control systems such as steering, braking and accelerating, lock or unlock doors, etc. Gaining access to all of the car's network features for now is very vulnerable thanks to the fact that all radio functions, Bluetooth, and car navigation system have the same network as car's engine and brakes, so hackers need to break just into one network.

Therefore, these situations can occur and can expose us to serious threats which consequences can be very big. This is one of the main research topics in the last years which have united automotive manufacturers, component suppliers, telecommunication companies, universities and research institutions and public authorities.

However, this will not be easy. Car manufactures and designers need years to incorporate, test and implement a technology achievement in their products. The paradox is that innovation and achievement in technology gets old within two years.

In addition to this, the trends of achievements regarding the security in connected cars seem to be developed in different perspectives. This divergence of course is because of different types of technology used to provide these kinds of services, but even so, there should be a number of standardized requirements as a reference for every organization incorporated here. Requirements should be concluded after the identification of user and system risks, their types and severity; examine the varying levels of security options available to address the risks; examine the institutional issues associated with this approach and resulting impacts on safety, privacy, user acceptance, and cost. These standardized requirements should include policy, and institutional requirements for communication security based on industry and stakeholder’s needs. All this would result in industry’s best practices for preventing, detecting, and mitigating security risks in interconnected cars.

3

4

Conclusion

Advantages and benefits of using technology will always overcome the fear of possible vulnerabilities that would bring harm, but because of the huge risk that can result on the malfunctioning of the cars, issues like this should be considered very important. Some pragmatic recommendations for future automotive security, as well as identify fundamental challenges should be given very soon and they have to be standardized to speak with same language for every included part of carmaker process.In addition to this proposed roles and responsibilities for organizational and operational management entities should be defined, they need to understand key requirements of security protection, therefore, certified personnel is more than needed.

Professional Evaluation and Certification Board (PECB) is a certification body for persons on a wide range of professional standards. It offers ISO 27001, ISO 31000 and ISO 27005 training and certification services for professionals wanting to support organizations on the implementation of these management systems. ISO

Standards and Professional Trainings offered by PECB:• Certified Lead Implementer (5 days)• Certified Lead Auditor (5 days)• Certified Foundation (2 days)• ISO Introduction (1 day)

Lead Auditor, Lead Implementer and Master are certification schemes accredited by ANSI ISO/IEC 17024.

Rreze Halili is the Technology, Security and Continuity (TSC) Product Manager at PECB. She is in charge of developing and maintaining training courses related to TSC. If you have any questions, please do not hesitate to contact: tsc@pecb.org.

For further information, please visit www.pecb.org/en/training