Security researchers have warned drivers that internet-connected cars could be at risk of being stolen or remotely controlled as car makers rush out products without properly securing them. IT security experts from AlienVault and ESET commented below.
Javvad Malik, Security Advocate at AlienVault:
“There is a rush to integrate smart capabilities into as many devices as possible. But not all IoT devices are equal, and manufacturers should take the risk into consideration when creating such functionality. In the case of cars, the impact of poor security can be very high, ranging from theft of an expensive vehicle through to serious injury or even death by interfering with controls whilst a car is in motion.
Security needs to be integrated into every stage of the software development lifecycle and all scenarios thoroughly tested internally, and by trusted third parties to ensure no vulnerabilities exist in the software.
In addition, monitoring controls should be built into the system to ensure integrity of the software, as well as to alert customers on any unusual activity occurring on the vehicle e.g. unexpected unlocking at odd hours.”
Mark James, IT Security Specialist at ESET:
“With the perceivable “need” for apps to connect to virtually everything we interact with these days, it’s easy for their urgency to overrule their security. But with our quest to control everything from our smart phones our very safety is at stake here, not to mention losing something we spend thousands of pounds on.
Making sure the app developer makes it difficult to reverse engineer the app itself will stop the app hijackers from finding out key personal info and thus injecting their own code to do exactly as they need should be in its basic makeup. With most aspects of security it’s all about layered defences, checking to see if the device is rooted and if so, clearly warning the owner of the dangers if their device is compromised could help.
One way of protecting against an attacker compromising the app itself and injecting code to do their own bidding, would be to check its own integrity for unauthorised changes. If modified in any way then it would render itself useless, although frustrating it’s a lot better than trying to locate a stolen vehicle. Of course currently we are talking about proof of concept and what might happen but as more and more cars become controllable via apps then this is a very real threat that should be addressed at this early stage with the early adopters and not waiting until its standard across all platforms.”