This is the first article in a series. Be sure to read Part II for the full story.

Since the inception of the first vehicles in the early 20th century, the automotive industry has gone a long way to satisfy market-driven requirements and evolve cars into a means of transportation that engages state-of-the-art electronics and information technology for passengers’ comfort and entertainment.

The Value of Connected Vehicles

In particular, recent years have seen vehicle connectivity as a fundamental part of the connected society. This gives rise to a host of value-add services that benefit all stakeholders in the automobile ecosystem. The value proposition of connected vehicles has been rapidly embraced by the industry, with expectations for 250 million connected vehicles shipped by 2020, according to a Gartner report.

Stake Holder Value-Add Services (examples)
Car owners Social navigation (e.g., Waze), individualized infotainment, automated driving support.
Automakers Enablement for new business models and revenue streams (e.g., pay-as-you-drive models for car insurance), proactive aftermarket diagnostics (e.g., predictive maintenance), over-the-air ECU firmware updates.
Businesses Optimized transport services such as real-time fleet management.
Municipalities Smart city services such as traffic congestion management and emission control.
Scroll to view full table

Table 1: Benefits for Stakeholders

However, along with the benefits of connected vehicles come the risks associated with security breaches, as well as concerns over data privacy. The reason for this is that the automobile, a product that was originally purely mechanical, has evolved into a complex IT network on wheels. Vehicle original equipment manufacturers (OEMs) have always been keen to put driver safety as a top priority, and this has been the major motivation behind developing driver assistance systems. While these programs have dramatically improved passengers’ safety over the last decade, cybersecurity risks became relevant for the OEMs when the vehicle became connected to the Internet and offered outsiders access to the vehicular network.

Nothing Is Without Risks

These risks are now amplified by the fact that modern vehicles are among most complex software-driven system invented by mankind. Certain studies have estimated that an average modern car hosts around one hundred million lines of software code, roughly twice the size of the software that drives the Large Hadron Collider in Switzerland, the largest particle accelerator ever built.

Moreover, vehicle software and firmware manage anywhere between 70 to 100 electronic control units (ECUs), which are connected by many Controller Area Networks (CANs). Since vehicles now employ multiple communication protocols to connect with other machines and infrastructure systems, and they are equipped by a host of related communication features (e.g., Bluetooth, USB ports and even near-field communications), the connected vehicle threat surface is wide and highly exposed to attacks, as various researchers have observed.

Many credible automakers have fallen prey, often publicly, to attackers that exploited those vulnerabilities. Those automakers were forced to issue expensive recalls in order to patch security vulnerabilities. They likely have also incurred indirect damages to brand value and reputation.

Using an IDS for Protection

Given the high stakes, industry players conduct important research to develop solutions for securing connected vehicles. A popular approach pursued by several vendors is a specialized intrusion detection system (IDS) for vehicles, wherein elaborate analysis algorithms — possibly implemented in an embedded device — are used to continuously inspect the car’s internal communication network. When a threat is detected, a corrective action is taken; for example, the communication channel is blocked, and an alert is potentially raised.

While the vehicular IDS approach has merit, it also has limitations. First, a vehicular IDS mainly inspects and reasons about communication traffic exchanged among the ECUs over the vehicle’s CANs. While this information is important, especially if an IDS applies elaborate analysis techniques, the insights obtained from such local analysis represent only a relatively small subset of relevant security events internal to the vehicle’s environment. Some attacks on the vehicle may be detected with this approach, yet many sophisticated attacks — such as Sybil attacks, where an adversary forges the identities of many imaginary cars to subvert the network — will remain undetected.

Another limitation of vehicular IDS is the constrained processing and memory resources that such a device can consume due to the cost sensitivity of automakers and price sensitivity of buyers. Those constraints and the low computational footprint available for an IDS in the car inherently limit the performance and quality of the security coverage that can be provided.

The Final Word

A comprehensive solution for connected vehicle security must reconcile conflicting requirements and address multiple design challenges. On the one hand, as described above, the threat detection potential at the vehicle level is limited; on the other hand, a centralized, server-based architecture will not be a proper solution either. The dynamics and scale of a broad vehicular network would impose severe computational and communication costs in managing the network and uploading security data from the vehicles to the server. A solution that provides a comprehensive real-time security view must therefore reconcile the above design trade-offs and integrate multiple capabilities.

In the coming International Motor Show in Frankfurt, Germany, we will present a prototype solution for securing connected vehicles, based upon research conducted by IBM in its Cybersecurity Center of Excellence in Israel. Our solution is based on a client/server architecture where an in-vehicle component communicates with a cloud-based server component. Using a novel approach for coordinated anomaly detection, this powerful solution, designed in the IBM Lab, can identify attacks on the integrity of both individual vehicles and across vehicle networks.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…