NOWSECURE CONNECT 2022 CONFERENCE - REGISTER FOR REPLAYS!

NowSecure Connect — THE mobile AppSec + AppDev community online event — returns with new content and the latest training. Join the world’s brightest innovators, practitioners, community leaders, and industry influencers online for in-depth training, discussions, strategy sessions, CTF and more. Gain access to keynotes, exclusive breakouts, expert panels, on-demand sessions, plus an interactive peer-to-peer community. #NSConnect22 is your source for cutting-edge mobile AppDev, mobile AppSec and mobile DevSecOps insight. Register for replays!

NOWSECURE CONNECT 2022 CONFERENCE - REGISTER FOR REPLAYS! NOWSECURE CONNECT 2022 CONFERENCE - REGISTER FOR REPLAYS! Show More
magnifying glass icon

Headed for a wreck? Why you need to pay attention to data security for connected cars

Posted by

Kevin Beaver

Information security consultant at Principle Logic
Kevin Beaver, CISSP is an information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC with over 28 years of experience in IT and 22 years in information security. He specializes in performing independent security assessments, with a focus on application and IoT testing, to help organizations minimize their IT risks, take the pain out of compliance, and uncheck the checkboxes that keep creating a false sense of security. Kevin has written/co-written 12 books on information security including the best-selling "Hacking For Dummies" and "The Practical Guide to HIPAA Privacy and Security Compliance." Kevin has also written over 1,000 articles on information security and serves as a regular contributor to websites such as TechTarget's SearchSecurity.com, Ziff Davis' Toolbox.com, and IBM's SecurityIntelligence.com. In his free time Kevin races cars in the SCCA Spec Miata class.
Connected car data security

This is a guest post, and the views expressed don’t necessarily reflect the views of NowSecure.

Everyone’s talking about connected cars. Cars connecting to the Internet. Cars connecting to one another. Cars connecting to roads. The possibilities are endless. The mobile apps, code running in our cars, and overall features are nice and certainly move technology forward. But at what cost? The concept of car “hacking” has been around for decades when all we had was hardware to play around with. In this era of software and firmware hacking, things are changing quickly with the most publicized event being the Jeep Cherokee exploits a couple of years ago. Given all of the security and privacy considerations with connected cars, there’s a lot that can happen.

Last year, I broke down and bought a “connected” car. I never thought I’d do it. I’m more of an old-school car nut. Horsepower and handling tend to make me the happiest. But I also have a organization to run and there are major efficiencies to be gained with my smartphone used in conjunction with my Bluetooth head unit.

Still, all of this connectedness worries me a bit. I’m just now digging into what’s going on between my vehicle and the manufacturer. I should’ve started sooner to get a good baseline. From the mobile apps to the actual data being communicated and any other variables, it’s all going to get a good security assessment. I’m sure I’ll violate the terms of service. Oh well, I’m a car guy and a computer guy, and I’m concerned about what’s going on behind the scenes that many people don’t seem to be concerned about.

With the demand for greater connectivity, things are evolving at breakneck speed – both in cool features and risks. Take, for instance, the Dedicated Short Range Communication (IEEE 1609) requirement from the IEEE Vehicular Technology Society. How will that technology impact connected car privacy and security when unintended consequences such as malicious attacks or government espionage occurs?

I know the automobile manufacturers are working to improve security in various ways, one example is the Automotive ISAC formed in 2015. But how far off are highly secure automotive systems that are impervious to attack? We’re still waiting on that from operating system, application, and database vendors who have been working on this challenge for decades. What can we as IT and security professionals do to make this better? Moving forward, driverless cars can certainly take these security and privacy concerns to the next level.

Another consideration is how does all of this impact enterprise data security programs? The IoT tie-ins are huge. What happens when mobile apps on phones and tablets expose corporate data? What about backdoors? Where are they and how are they impacting organizationes? When are executives going to be kidnapped (or worse) via car or connected highway hacking? I didn’t previously see things from such an extreme perspective, but I’m just seeing too much in the industry to take this lightly. At a minimum, certain security standards and policies involving passwords, patching, and system hardening will have to be integrated into existing controls around mobile computing, corporate travel, and application security testing. Worst case, all of this connectivity is going to have to integrate directly into information security programs and software development lifecycles – perhaps under the guise of IoT security. Perhaps something different.

There are no solid answers at this point. The industries, technologies, and public policies are still relatively immature. One thing’s for sure: we need to be paying attention.

 


Learn how NowSecure helps carmakers and tier one suppliers with connected car cybersecurity or take a look at slides from “Mobile App Crashworthiness,” NowSecure CEO Andrew Hoog’s talk at the 5th Automotive Cyber Security Summit in Detroit.