When we take the automotive market in the era of the Internet of the Objects (IoT), most of us will think of the “connected car” or “Google car”. Today, the advantages of IoT are consumer-oriented and offer only basic functions, including convenience, maintenance and safety. Tomorrow, our interactions with our cars will be very different. As the tests and developments currently carried out by Google on his stand-alone car, one day we all may be passengers in cars that are able to communicate with each other. The aim of the connected car is to optimize our journeys and take us from point A to point B in maximum safety.
In the United States, when talking about security, the broadcast on CBS of a report on the piracy of a connected Jeep has marked the spirits. Was it impressive? Yes, but by pointing the spotlight on a potentially critical defect and a safety fault, the emission mainly caused the recall of 1.4 million vehicles.
Car manufacturers are also relying on their connected features, such as on-board wifi or mobile applications that control door closures – or even start vehicles. With all these “plugged in” features, the novelty criterion takes precedence over the negative consequences. But what happens when a consumer gets his phone stolen? Are there any security and authentication measures to ensure that the car will not be stolen as well?
As consumers, do we have to worry? Maybe or maybe not, it is probably too early to speak of an epidemic. However, we should begin to pay close attention to these connected features and their positive or negative impact on us. We will have to deal with these security issues, especially as the number of vehicles with integrated features is increasing. It is our security, and the confidentiality of our personal data and our property.
New risks for car manufacturers
For the moment, the first to be concerned about these vulnerabilities are the car manufacturers. A negative report at prime time, as in the example above, can have disastrous consequences on brand image and reputation. Such vulnerabilities also put consumers at risk and explode the costs of warranty repairs, as more than one million vehicles are affected. No one wishes to be associated with such an incident or to have to pay the bill for such heavy reputation damage. To limit the damage, Fiat Chrysler had to recall its vehicles in number and bear the related costs. If a dramatic accident had occurred, the consequences would have been irreparable; the manufacturer would also have played its survival.
Fortunately, the automotive industry has become aware of the problem. Cybersecurity is now on the agenda of the Alliance of Automobile Manufacturers, an association of 12 automakers including BMW, Fiat Chrysler, Ford, GM, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Porsche, Toyota, VW and Volvo.
But for automakers, this type of incident is perhaps only the tip of the iceberg. If the exploits of hackers able to partially take control of a vehicle attract the attention of the media, what happens in the engineering and manufacturing phase is otherwise more sensitive.
Safety, a concern in manufacturers’ workshops
Before a car takes off, its manufacture obeys extremely precise processes that meet drastic quality standards. The safety of each depends on the quality of the vehicles manufactured and sold. Today, the manufacturing process is almost entirely automated. To optimize this process, manufacturing sites and equipment are interconnected. This facilitates the analysis and sharing of critical data. This is called the Industrial Internet of Things (IIoT), or Industry 4.0. The use of these data can be extremely powerful and save manufacturers millions of dollars. But the interconnection of these devices also opens the door to new vulnerabilities that can put the builder, his employees and his customers at risk.
Imagine that part of a manufacturing equipment or software service is compromised during an attack. Serious problems can then arise. If a hacker accesses a temperature monitoring sensor on manufacturing equipment, how could this affect the safety of employees? Now what would happen if there was a malicious modification of the software to indicate to equipment the number of bolts to install to fix the chassis of a car on the assembly line? How would this affect consumer safety? It is behind the scenes of the industrial Internet of objects that security scenarios must be rewritten before they make the headlines.
Ensuring the integrity of firmwares
Now that cars are more than just computer-based wheeled computers, vehicle functions are controlled by an impressive number of embedded software and firmware. Initial installation of these software and firmware is done at the factory during manufacture, usually in a controlled environment. Time-tested and mile-tested vehicles will later need to upgrade their software and firmware.
These operations could be carried out by authorized dealers or any mechanic who has access to the vehicle. But how to know if the software or firmware installed on your car is the right one? Probably both you and your garage guy have no idea. However, if the software / firmware were signed, their integrity could be validated. Thus, only the appropriate updates would be installed, preventing the installation of malicious software or firmware on your vehicle.