According to Kaspersky Lab, the automotive sector faces a number of threats over the coming 12 months. (Pictured here: Maxim Frolov, Managing Director for the Middle East, Turkey and Africa at Kaspersky Lab)
Kaspersky Lab brought together company experts, journalists and Kaspersky Motorsport drivers to discuss current and future aspects of automotive industry in the Middle East region and worldwide. Since modern cars become more connected and incorporate more intelligent technologies to make them smarter, more efficient, comfortable and safe, the growing risk of a vehicle’s systems being infiltrated or having its safety, privacy and financial elements violated, makes IT security a crucial necessity.
Kaspersky Lab has been a proud sponsor and IT partner to Scuderia Ferrari for many years. The company also collaborated with Abu Dhabi Racing to support Daman Speed Academy to help raising the profile of motorsport and promote cybersecurity as an issue relevant to anyone using modern technologies – not only in Abu Dhabi but also in the whole Middle East region.
“Kaspersky Lab has a lot in common with motorsport - we aim high and value reaction speeds and quality of service. I’m very glad to see success and professional growth in a sport that we support: earlier this year Daman Speed Academy driver Amna Al Qubaisi has taken a huge leap in her Motorsport career with a move to Formula 4 with the best team in the business “Prema” sponsored by Kaspersky Lab,” said Maxim Frolov, Managing Director for the Middle East, Turkey and Africa at Kaspersky Lab.
Amna Al Qubaisi, who is the first Arab female to take part in the Formula 4, is adamant on pursuing her passion of becoming a Formula 1 driver. "I'm glad to be sponsored by the global cyber security company Kaspersky Lab, as this allows me to dedicate my focus on my performance on the road, while leaving the security challenges to the experts" said Amna Al Qubaisi, Kaspersky Motorsport Driver.
Gartner estimates that there will be a quarter of a billion connected cars on the roads by 2020. Others suggest that by then around 98% of cars will be connected to the Internet. With each generation, cars incorporate new intelligent technologies for remote diagnostics, telematics and autonomous driving, remote driver assistance and infotainment. Car controls are becoming more and more complex cyber-physical systems with multiple sensors, controls, applications, subnets and communication modules that interact with other vehicles and their environment. Their functions can be controlled remotely, via digital systems. Because of this, connected cars are becoming more of a target for cyberattacks.
That’s why Kaspersky Lab together with AVL Software and Functions GmbH have recently made a big step forward with unveiling a prototype for secure car communications to ensure that connectivity opportunities don’t turn into failures. It demonstrates the possibilities of interference-proof communication between car components, the car, and its external connected infrastructure, making connected cars secure-by-design.
Kaspersky Lab experts closely analyse the key risks that could lie ahead and their potential impact for the automotive industry. The threats that are faced now, and those expected to be faced over the coming year should not be seen in isolation – they are part of this continuum – the more vehicles are connected, in more ways, the greater the surface and opportunities for attack.
According to Kaspersky Lab security experts, threats facing the automotive sector over the coming 12 months include the following:
Vulnerabilities introduced through lack of manufacturer attention or expertise, combined with competitive pressures. The range of connected mobility services being launched will continue to rise, as will the number of suppliers developing and delivering them. This ever-growing supply (and the likelihood of products/suppliers being of variable quality), coupled with a fiercely competitive marketplace could lead to security short cuts or gaps that provide an easy way in for attackers.
Vulnerabilities introduced through growing product and service complexity. Manufacturers serving the automotive sector are increasingly focused on delivering multiple interconnected services to customers. Every link is a potential point of weakness that attackers will be quick to seize on. An attacker only needs to find one insecure opening, whether that is peripheral such as a phone Bluetooth or a music download system, for example, and from there they may be able to take control of safety-critical electrical components like the brakes or engine, and wreak havoc.
No software code is 100% bug free –and where there are bugs there can be exploits. Vehicles already carry more than 100 million lines of code. This in in itself represents a massive attack surface for cybercriminals. And as more connected elements are installed into vehicles, the volume of code will soar, increasing the risk of bugs. Some automotive manufacturers, including Tesla have introduced specific bug bounty programs to address this.
Further, with software being written by different developers, installed by different suppliers, and often reporting back to different management platforms, no one player will have visibility of, let alone control over, all of a vehicle’s source code. This could make it easier for attackers to bypass detection.
Apps mean happiness for cybercriminals. There are a growing number of smartphone apps, many introduced by car manufacturers, which owners can download to remotely unlock their cars, check the engine status or find its location. Researchers have already demonstrated proof of concepts of how such apps can be compromised. It will not be long before Trojanized apps appear that inject malware direct into the heart of an unsuspecting victim’s vehicle.
With connected components increasingly introduced by companies more familiar with hardware than software, there is a growing risk that the need for constant updates could be overlooked. This could make it harder, if not impossible for known issues to be patched remotely. Vehicle recalls take time and cost money and in the meantime many drivers will be left exposed.
Connected vehicles will generate and process ever more data–about the vehicle, but also about journeys and even personal data on the occupants–this will be of growing appeal to attackers looking to sell the data on the black market or to use it for extortion and blackmail. Car manufacturers are already under pressure from marketing companies eager to get legitimate access to passenger and journey data for real time location-based advertising.
Fortunately, growing awareness and understanding of security threats will result in the first cyber secure devices for remote diagnostic and telematics data appearing on the market.
Further, lawmakers will come up with requirements and recommendations for making cybersecurity a mandatory part of all connected vehicles.
10. Last but not least, alongside existing safety certification there will be new organizations set up that are responsible for cybersecurity certification. They will use clearly defined standards to assess connected vehicles in terms of their resistance to cyberattacks.
Addressing these risks involves integrating security as standard, by design, focused on different parts of the connected car ecosystem. Defensive software solutions could be installed locally on individual electrical components— for instance, the brakes — to reinforce them against attacks. Next, software can protect the vehicle’s internal network as a whole by examining all network communications, flagging any changes in standard in-vehicle network behaviour and stopping attacks from advancing in the network. Overarching this, a solution needs to protect all components that are connected externally, to the Internet. Cloud security services can detect and correct threats before they reach the vehicle. They also can send the vehicle over-the-air updates and intelligence in real time. All of this should be supported with rigorous and consistent industry standards.