Headed for a wreck? Why you need to pay attention to data security for connected cars

This is a guest post, and the views expressed don’t necessarily reflect the views of NowSecure.

Everyone’s talking about connected cars. Cars connecting to the Internet. Cars connecting to one another. Cars connecting to roads. The possibilities are endless. The mobile apps, code running in our cars, and overall features are nice and certainly move technology forward. But at what cost? The concept of car “hacking” has been around for decades when all we had was hardware to play around with. In this era of software and firmware hacking, things are changing quickly with the most publicized event being the Jeep Cherokee exploits a couple of years ago. Given all of the security and privacy considerations with connected cars, there’s a lot that can happen.

Last year, I broke down and bought a “connected” car. I never thought I’d do it. I’m more of an old-school car nut. Horsepower and handling tend to make me the happiest. But I also have a organization to run and there are major efficiencies to be gained with my smartphone used in conjunction with my Bluetooth head unit.

Still, all of this connectedness worries me a bit. I’m just now digging into what’s going on between my vehicle and the manufacturer. I should’ve started sooner to get a good baseline. From the mobile apps to the actual data being communicated and any other variables, it’s all going to get a good security assessment. I’m sure I’ll violate the terms of service. Oh well, I’m a car guy and a computer guy, and I’m concerned about what’s going on behind the scenes that many people don’t seem to be concerned about.

With the demand for greater connectivity, things are evolving at breakneck speed – both in cool features and risks. Take, for instance, the Dedicated Short Range Communication (IEEE 1609) requirement from the IEEE Vehicular Technology Society. How will that technology impact connected car privacy and security when unintended consequences such as malicious attacks or government espionage occurs?

I know the automobile manufacturers are working to improve security in various ways, one example is the Automotive ISAC formed in 2015. But how far off are highly secure automotive systems that are impervious to attack? We’re still waiting on that from operating system, application, and database vendors who have been working on this challenge for decades. What can we as IT and security professionals do to make this better? Moving forward, driverless cars can certainly take these security and privacy concerns to the next level.

Another consideration is how does all of this impact enterprise data security programs? The IoT tie-ins are huge. What happens when mobile apps on phones and tablets expose corporate data? What about backdoors? Where are they and how are they impacting organizationes? When are executives going to be kidnapped (or worse) via car or connected highway hacking? I didn’t previously see things from such an extreme perspective, but I’m just seeing too much in the industry to take this lightly. At a minimum, certain security standards and policies involving passwords, patching, and system hardening will have to be integrated into existing controls around mobile computing, corporate travel, and application security testing. Worst case, all of this connectivity is going to have to integrate directly into information security programs and software development lifecycles – perhaps under the guise of IoT security. Perhaps something different.

There are no solid answers at this point. The industries, technologies, and public policies are still relatively immature. One thing’s for sure: we need to be paying attention.

Learn how NowSecure helps carmakers and tier one suppliers with connected car cybersecurity or take a look at slides from “Mobile App Crashworthiness,” NowSecure CEO Andrew Hoog’s talk at the 5th Automotive Cyber Security Summit in Detroit.