Connected Cars Face Endemic Cyber-Security Risk

By 2020, there will be nearly 21 billion devices connected to the Internet, including up to 22% of passenger vehicles worldwide, according to IDC. But research from Veracode has revealed that automotive manufacturers on average have a security lag of up to three years before systems catch up with cyber-threats.

“What we’re seeing happen in the auto industry is a microcosm of what’s happening in financial services, healthcare and virtually every other sector—applications are not created with security in mind, creating a major area of risk,” said Chris Wysopal, CTO, Veracode. “Exposing a car to the Internet makes it vulnerable to cyberattack due to poorly written software, which could render the car unstable or dangerous. Building a secure application development program is a significant challenge for manufacturers, which is compounded by the need to do so under the microscope of government regulated safety standards and liability concerns.”

Consumers are certainly concerned. The Veracode report found for instance that half of British drivers (49%) are concerned about the safety of the connected car. Respondents also believe that manufacturers should be liable for the cyber-safety of the connected car: 87% of drivers polled believe all aspects of safety—including resiliency of applications to cyberattacks—rests with manufacturers, regardless of whether an in-car application was developed by a software company or the car manufacturers themselves.

And speaking of those applications, Veracode respondents from Fiat-Chrysler, Seat, Scania, Delphi and German industry body ADAC all agreed that driver-downloaded applications pose concerns around the security of critical systems being exposed to applications they did not develop. This creates situations where the safety of the vehicle would leave the control of the manufacturer.

Half of drivers in the Veracode survey are concerned about the security of driver-aid applications, such as adaptive cruise control, self-parking and collision avoidance systems, reflecting an equal level of concern with the safety of the entire vehicle.

“Manufacturers cannot afford to be complacent when it comes to application and overall system security within vehicles,” said Duncan Brown, research director, European Security Practice, IDC. “The positive implication from our research is that the market for downloadable applications is large, spanning the entire market of drivers of all ages and genders. Manufacturers should increase their focus on how to secure applications that enhance car functionality, such as the many driving aids currently being developed.”

Also, 46% of drivers are concerned about privacy, particularly as navigation systems evolve to do things like find, reserve and pay for parking automatically—thus opening up the potential for leaking credit card information and other personal data.

The stakes could not be higher. As Liam Fox, former UK defense secretary, noted, “Cybercrime is increasing at an alarming rate.  It is essential that public safety is uppermost in the minds of innovators and that risk is reduced to the minimum level possible.”

Photo © Pavel L Photo and Video/

What’s Hot on Infosecurity Magazine?