Expert Insight: Securing Smart Cars

Like any new and emerging technology, smart cars also have its share of security loopholes that exposes user data and privacy to risk. Unfortunately, they can also pose risks to physical safety. The notion of car hacking seemed far-fetched a few years ago, but the recent proliferation of connected, automated, and self-driving cars bring to the fore both the benefits and vulnerabilities that come with smart cars.

This year alone, researchers reported several security gaps with dire consequences, like vulnerabilities that allowed the vehicle to be remotely controlled, or remotely unlocking doors that could allow the car to be stolen. Here’s a rundown of some of the notable car hacks and vulnerabilities that have been reported this year:

• Our researcher investigated the SmartGate System in Fabia III cars (by Skoda Auto), the system that allows users to connect their mobile device to read car status and driving data.  It was discovered that it's possible to read the car’s data if the hacker is within the Wi-Fi network range and guessed the password code, which is fairly easy to do.
• Researchers Valasek and Miller hacked into the infotainment system of Jeep Cherokee and found that it's possible to control the vehicle's engine and brakes via 3G internet connectivity.
• Vulnerabilities in BMW's ConnectedDrive could allow attackers to open the doors, get the car’s location, and read emails sent via this feature. 
• In New Zealand, a Jaguar XFR was reportedly stolen after its systems were hacked.
• Researchers Kevin Mahaffey and Marc Rogers found vulnerabilities in the Tesla model S infotainment system that could be hacked to remotely start or shut off the engine.

Car makers recognized the risks that smart cars may entail and have taken steps to coordinate with lawmakers on how to better protect the privacy and safety of the users.  For example, car hacking for research purposes is now a part of copyright law exemptions. As such, security researchers can tinker with smart cars to conduct further studies on vulnerabilities and report it to respective car manufacturers without being sued. 

In this expert insight video, senior threat researcher Rainier Link talks about smart car security and the role of car manufacturers in making sure that these connected systems are secure. “From the manufacturer’s perspective, they might have a lot of knowledge on building cars but they may lack a little bit of knowledge on IT security because it’s new to them.” He also noted that some manufacturers are now building penetration testing teams to check how secure their cars are, and discusses patches, vulnerabilities, and how security should be one of the top considerations when creating new technology.