Automotive engineers have been adding computers and connectivity for years, but hackers can infiltrate any electronic control unit, aka ECU, through wireless access ports.
The connected car is linking you to criminals with virtually no safeguards in place to protect your personal data or even to prevent the bad guys from taking over control of the car. That is the summary from recent studies and forums in the U.S. and Europe. With the release of the Markey Report earlier this month – Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk – and just completed conferences by Robert Bosch in Germany and one in Michigan by the Center for Automotive Research, it is clear that hackers currently have the ability to do pretty much as they please when they please.
The good news, if there is any for connected car, Bluetooth, OnStar and Smartphone aficionados is that you are likely not the primary target. Instead, hackers want to get to the treasure trove of car company databases and private networks that contain millions of bits of confidential data. Other privacy problems arise from the use of navigation computers that record and send location or driving history information to third party providers who resell it without your knowledge, let alone consent.
There are large security disconnects on so-called connected cars. Makers were caught napping.
Simply put automotive engineers have been adding computers and connectivity for years, but hackers can infiltrate any electronic control unit, aka ECU, through wireless access ports. With more than a hundred ECUs on sophisticated vehicles and 100 million lines of computer code, it is a growing problem that only recently has been recognized. The avionics and aerospace industry has already addressed the issue years ago with a standard called DO178B/C.
Brett Hillhouse of IBM explains there is no “magic box” to solve the problem. Rather this is about hard engineering that brings common processes and methodology to the automobile.
Heretofore quality control engineers were concerned about testing – a build it and break it methodology. What is now urgently needed is an approach that protects the system, identifies threats and responds, thereby controlling the resulting damage says Anuja Sonalker of Battelle, which is active in cyber security programming. Only two automobile manufacturers in the Markey report were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time. Most said they rely on technologies that cannot be used for this purpose at all.
The auto industry obviously would benefit from a concerted, industry-wide approach. SAE is finally proposing a secure and common platform for the automotive industry to communicate, analyze, exchange and share information on imminent cyber security threats. SAE International, through its Industry Technologies Consortia, is assembling automotive manufacturers to define the need, scope and operational requirements for secure communications among devices. The Alliance of Automobile Manufacturers and the Association of Global Automakers are pushing for the formation of an ISAC – Information Sharing and Analysis Centers (Auto-ISAC) to help share information about cyber threats.
