Deploying wireless technologies and enabling cloud connectivity in cars for enhanced vehicle functionality is exposing cars to hacking exploits. These advanced features, still in their first leg, lack strong security protocols and tend to invite threat actors to hack into car’s network.
We are well aware of the classic case of the Jeep Grand Cherokee hijack. It brought the real threat of connected car hijacking to public awareness and reminded the smart car manufacturers of the problem on their hands.
Nature of Risks Vehicles Face
A report from IntSights identifies the inherent cybersecurity risk and vulnerabilities automotive industry software manufacturers face as the industry undergoes radical transformation embracing connectivity. According to the report, vehicle attack vectors include remote keyless systems, tire pressure monitoring systems, GPS spoofing, software and infotainment applications, and cellular attacks.
"A lack of adequate security controls and knowledge of threat vectors enables attackers to take advantage of easily acquired tools on the dark web to reap financial gain. Automakers need to have a constant pulse on dark web chatter, points of known exposure, and data for sale to mitigate risk," said Etay Maor, Chief Security Officer, IntSights.
Improving the security of Connected Autonomous Vehicles (CAVs)
A testing at WMG, University of Warwick, bets to improve the security, privacy, and safety of CAVs. The group undertook real-world testing of four academic innovations in the IoT-enabled Transport and Mobility Demonstrator project funded by Lloyd’s Register Foundation.
It discusses four new innovations:
Group signatures: During vehicle communication, the messages sent contain a cryptographic proof that reveals the vehicle’s identity (via a digital signature). It allows the vehicle to be tracked for a long period. In this case, a group signature can be used to provide privacy indicating that the vehicle is a member of a group.
Additionally, the group signature scheme can be implanted to use a timestamp as a component of the signature. Therefore, the group signature would differ for the same text sent at a predetermined time difference. It would prevent eavesdroppers from knowing that the same vehicle sent both messages.
Authentication prioritization: It is possible that, on a busy roadway, an adversary may attempt to send multiple messages with incorrect signatures in order to prevent other vehicles from verifying the identity of actual vehicles.
Assigning priority to the messages will queue them in order of identity verification requests, meaning higher priority messages have the identity of the sender verified first.
Decentralized PKI: This innovation addresses faster downloading of keyservers to avoid delay in checking the identity of vehicles. Keyservers on the cloud face several limitations such as delayed communication due to additional communication hops.
The solution proposes to receive these keys faster from distributed edge infrastructure that sits next to the road infrastructure.
Decentralized PKI with pseudonyms: The extension of the previous concept is only to support periodically issuing new identities to vehicles on the road to offer privacy.
All the techniques mentioned above were demonstrated on the campuses of the University of Warwick and University of Surrey, as well as Millbrook Proving Ground.
Cloud connectivity and wireless technologies are standard features today, and drivers expect everything to work in a safe, reliable, and smart way.
Lead of the project Professor Carsten Maple of WMG, University of Warwick comments: “The cybersecurity of CAVs is key to make sure that when the vehicles are on the roads, the data is trustworthy and that vehicle communications do not compromise privacy. We tested four innovations developed in the PETRAS Project, and being able to apply them to the real world is the first major step in testing the security of CAV systems.”