Up to 100 million cars could be unlocked and potentially stolen by simply copying the radio frequency used in remote control locking systems, computer scientists say. IT security experts from MIRACL and AlienVault commented below.
Brian Spector, CEO at MIRACL:
“These vulnerabilities demonstrate the serious problem of verifying the identities of people using the connected devices within today’s cars. Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today. Move forwards to the increasing trend for driverless cars, and the potential fallout from this lack of authentication becomes even more frightening.
“For connected cars to become more secure, relationships must be established within the components of a vehicle, to ensure that only a legitimate operator can control the connected devices within a car. If a hacker then tried to take control of one of the on-board systems, their identity would not be verified and access would be denied.
“The current security checks often fail because they rely on slow, centralised identity verification services. To connect the components more quickly and autonomously, manufacturers should deploy a distributed trust model which allows for fast pre-authorisation, and removes the roadblock of a centralised service.
“All of this requires a serious system upgrade and a greater drive for security awareness among manufacturers as well as consumers who use connected cars. Drivers are going to need to get up to speed very quickly if they are going to take responsibility for cyber security within their own vehicles.”
Richard Kirk, Senior Vice President at AlienVault:
“There is no evidence that car manufacturers are taking cyber security seriously. One has to assume that given the recent high profile car hacks, the manufacturers have changed the way that they approach security, however this is not being publicised. Perhaps they should be boasting about their work as no doubt savvy customers will soon start asking questions.”
“Car owners should apply the same rules that they follow, or should be following, for their computers and smartphones. Use hard to guess passwords, do not share passwords and do not give anyone access to your car app or portal account. There is not much they can do otherwise since the car manufacturers control the car systems. For the example, unlike a PC or laptop, you cannot install a firewall in your car, although ironically cars do have physical firewalls between the engine and the passenger compartment, to literally protect the passenger against an engine fire.”
“Responsibility and liability may fall on the car manufacturer, insurer or driver themselves, depending on the country and legal jurisdiction, as well as the contractual terms of both the car purchase and insurance. It will probably take some time for cyber incidents to be challenged in court before clear lines of responsibility become clear. If insurance companies take the initiative and start including cyber cover in their policies, they could benefit from being seen to protect drivers, however cyber insurance is not a well understood business.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.