Earlier this year, we published a piece about the need for a cybersecurity wake-up call in the automotive industry. The focal point of the story was a report on the industry by Synopsys that brought up critical red flags for all organizations operating within the automotive supply chain.

Fast forward to just over half a year later (an eternity in the tech world), and there appears to be more cause for optimism.

I reached out again to Chris Clark of Synopsys not only to get a pulse on where everything stood but also to check on the state of connected car security from the perspective of the consumer. Clark told me that since we last spoke in February, the industry has been very quick to react to the security challenges that are being brought up.

“When you have an organization like Volkswagen coming out and stating that not only is the future of vehicle development critical to the organization, but so is the safety and security of the vehicles that are being developed by the organization, that says something,” he said.

Keeping Up With Ever-Changing Car Tech

According to Clark, one of the biggest security challenges for the industry is the long delay between a vehicle’s conceptual beginnings and its eventual launch, which can often be five years. During that time, newer security technologies come into play, so the original equipment manufacturers (OEMs) and other organizations in the supply chain are thinking more about security along the way.

“They’re making some pretty significant steps forward,” Clark said. “Part of the challenge is when you look at designing a vehicle and look at security from the ground up, you have to look at the chips that are driving that system. If there’s weaknesses in the chip level it doesn’t really matter how much security you put on top of it, there’s still a weakness.”

Recently, he said, chip manufacturers have been urged to provide much more robust, secure solutions.

“We will start to see this more in safety-critical environments, especially with multi-core processing required for vision systems and other sensor-mesh-type technologies. The industry is reacting pretty quickly, and it’s pretty impressive to see so far,” Clark added.

A Network on Wheels

Remember, the automobile of today — even the most basic recently released vehicle — is driven by computers. Whether it’s cruise control, lane management, lane metering or the infotainment system, there’s a computer driving it. According to Clark, when we talk about a car, it’s really a “network on wheels with a bunch of computers.”

The focus of that network for most vehicles is, perhaps surprisingly, the infotainment system. And it’s not just 5G connectivity; smart vehicles armed with Zigbee can connect with smart home systems. For example, when cars get closer to home, they can interact with home infrastructure and communicate about the state of the vehicle to the owner.

And, like any network, it’s worth mentioning that the automobile is now harvesting a significant amount of data. Researchers have even been successful in retrieving personally identifiable information (PII) from rental car vehicles.

We don’t think about this enough — I recall renting a car last year, and I definitely plugged my smartphone into the CarPlay system. Did I leave any personal information in the car’s brain? I admit my heart missed a few beats when Clark brought this up.

Any enterprise with a fleet of vehicles to offer employees must consider this privacy issue as well.

Connected Car Security Baked In From the Start

As for general connected car security, auto manufacturers should begin with the fundamental activities in the vehicle design process. Tools like fuzz testing and static code analysis should be standard, and they’re on the verge of standardization across manufacturers.

Also critical for auto manufacturers is managing the technical debt once the vehicle has left production. In many cases, the only time when a vehicle gets serviced is at the dealer — at which point, it will often get a software update.

“Organizations have to look at how to manage the software in those cars over the lifespan of the vehicle,” Clark said. “So virtualization is going to play a key role in that.”

Because manufacturers can’t keep every version of their vehicle in the lot to pull for testing, Clark advised creating a virtualized environment to mimic the vehicle. Then, they can perform the level of testing required to manage security vulnerabilities as they arise over the vehicle’s lifespan. While this represents a serious challenge for the current crop of cars, it will become easier for vehicles in future years when more virtualized environments in which to work become available.

Finally, in addressing the various hacks that have affected the industry, Clark has seen OEMs approach the problem in many different ways.

Diversity is really good when you start talking about security,” said Clark. “As these diverse methods start to mature and we see some methods working better than others, we’ll start to see providers across the board arrive at standardized development methodologies and technology solutions that benefit the consumer in the end.”

Practical Advice for the Consumer

For consumers looking to buy a “smarter” car, there are numerous options and features that can easily overwhelm even the savviest of car buffs. According to Clark, there are a few questions you should ask yourself:

  • Does the vehicle have a track record with some potential for service and support over the duration of its life cycle?
  • Does the vehicle have the technology attributes that I find interesting, and does it integrate with my home, my phone and my general lifestyle?
  • If there are a lot more electronics in this vehicle than there are in most, what will that look like from an insurance perspective?

That last question warrants further discussion. Synopsys is predicting a boost in consumer interest around reasonable cybersecurity requirements for a vehicle, especially when they start looking at their insurance bills after the purchase.

“Typically, most consumers only react when they feel a financial hit from it, and where they’re going to feel that is insurance,” Clark said, noting that the insurance industry is taking a very close look at future vehicles. “There’s been substantial work occurring over the last three years for the insurance industry to look at cybersecurity as it relates to not only autonomous vehicles, but also vehicles that have more electronics than they ever have before.”

As vehicles move toward full autonomy with features like self-repair and self-diagnostics, security and safety will certainly factor into insurance rates. This will inevitability factor into consumers’ financial decisions as well.

Optimism Remains Despite Deep Threats

During the writing of this story, CNN reported an FBI warning stating that “the automotive industry likely will face a wide range of cyber threats and malicious activity in the near future.”

This is certainly sounding the alarm, but when you stop to think about it, what industry isn’t being targeted by cyberthreats? I don’t doubt that we must be cautious, but doesn’t that solidify the argument that we all need to pay more attention to cybersecurity in general? Thankfully, Clark told me that all the automobile providers are developing a universal vernacular for how they share information about connected car security requirements.

“The industry is starting to align with common language that they can share for a clear and consistent understanding of what’s being asked,” he said. “That’s a major jump forward from what we’ve seen in the last couple of years.”

With so much pessimism surrounding the state of the threat landscape in the industry, it’s sure encouraging to hear that manufacturers are embracing security concepts more than ever before. Still, the industry can’t afford to take its foot off the cybersecurity gas pedal.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…