Rusty Carter of Arxan Technologies explains why security should be a top priority for the manufacturers of connected cars.
When it comes to connected cars, much is made about the convenience and efficiency road users are set to gain as the technology develops. While that is undoubtedly true, with anything connected comes a litany of threats, and the stakes with connected cars are particularly high.
Rusty Carter, vice-president of product management at application security player Arxan Technologies, spoke to Siliconrepublic.com about connected vehicles, adequate protection and the role threat analytics can play in creating safer roads.
What are manufacturers missing when it comes to security in connected cars?
As connected vehicles are being designed and beginning to be rolled out, there are a few areas of security that aren’t being addressed strongly enough.
Notably, mobile applications that access and control systems, including access and operation, are lacking in protection needed to prevent the theft of intellectual property and data that, if lost, could result in vehicle theft.
Also amiss is integrity and tampering protection (and reporting) of system applications that, if modified, could alter the behaviour of the vehicle.
Is there a need to impose more regulation on the connected car industry and IoT at large?
Legislation to require protection of the integrity of vehicle control systems is absolutely important and underway in many areas. Extensions to this that I believe are needed are around not just the prevention of tampering, but also detection and reaction to attempted or successful tampering.
Visibility about the level of protection is a critical but often overlooked component to long-term security. Beyond the control systems, I think legislating protection may pose challenges. The needs and means of protection for things like cryptographic keys in a phone, as an example, are both very complicated and not universally applicable.
While protection of connected aspects beyond the control systems is critical to long-term consumer trust, it will likely be a competitive advantage of some automakers that employ broad protection and security analytics to all aspects that affect a customer’s perception of value and brand reputation.
How can threat analytics help companies that manufacture connected cars?
Threat analytics and the ability to detect and respond to vehicle threats and attacks are fundamental to maintaining security. It is not enough to have a separate security system to watch over various vehicle systems, because that will invariably become the hottest attack target and a single point of failure.
Ultimately, threat analytics built into the prevention and detection capabilities of the various apps and systems themselves will prevent removal or compromise, and lead to a long-lasting security posture for the vehicle and manufacturer.
What do you think it will take for manufacturers to spend adequate time on security strategy?
In most industries, there are four major motivating factors to spending adequate time: fear, knowledge, a breach/event, and a commitment to the brand’s reputation and customer trust.
The latter is most successful because it aligns the long-term value that security adds to a business and leads manufacturers to increase their knowledge and/or hire experts to deliver the right security.
Do you think the lack of security is hindering consumer buy-in?
I think the fear of the unknown is limiting some broader adoption today. There are of course early adopters, which make moving fast and advancing technology – sometimes at the expense of security – an attractive gamble. The price, however, will be significant, and the progress of the industry as a whole will be dampened if negative events occur.
Manufacturers should be focused on reassuring those reluctant to implement connected technology, and also limit the temptation to take risks that, even if adoptable by early adopters, could result in a loss or breach.
How is threat analytics helping makers of connected cars at present?
Threat analytics has been used by a large automaker to make near real-time decisions about access and operation of a vehicle via ‘phone as a key’. While protection can detect many different threats and risky environments, the automaker is using the analytics and reporting about those factors to contribute to a risk score, and alter behaviour of other safety and security systems based on the result.
For example, if a device is rooted, they may allow the device to unlock and operate the vehicle, but other systems such as location tracking are instructed to increase their reporting. They also may use the analytics to assess the application’s current state of protection, which, when combined with the reporting of other systems, enables them to make more holistic and contextual decisions about the abilities or behaviours of the vehicle.