Your New Car May Connect You to Greater Cyber-Risk
Smith said that much of the problem is that, like many other IoT devices, the computers in cars are designed with the assumption that they're internal devices that aren't connected. Now they are, and the designers have to deal with the learning curve that requires. "They're doing better than when I first started," Smith said. "They're taking security seriously." Unfortunately, not all is rosy inside IoT land. "A lot of it, the more severe stuff, tends to be based on wireless communications," Smith explained. "There are usually not a lot of barriers to getting into the trusted system." I thought about the car I'd purchased just two days before and its ability to get weather radar and Yelp reviews. Smith said that the worst vulnerabilities are centered around cellular communications and other types of wireless as well. Wireless communications can also include on-board WiFi hotspots and on-board diagnostic systems. But, at least, most of the car companies aren't totally clueless when it comes to security.I thought back to the conversation I'd had with a member of my carmaker's support team. "You need to go to a local dealer and get your car's software updated," she said. She's been checking my car online, and apparently didn't like what she'd seen. For other vendors, notably Tesla, the updates are pushed to the car if there's a WiFi network available. Smith said that cars, like other Internet of things (IoT) devices, could be a lot more secure than they are. "There's not a whole lot you can do without security standards," he said. Much of the problem is that the folks who design car systems weren't used to thinking about security first. "They had the mentality that the vehicle was trusted," Smith said. "They assumed that the cellular network was secure." Smith advocates for greater openness on the part of the manufacturers, explaining that by allowing anyone to examine the basic code, automotive systems are much more likely to be secure since there are more eyes to spot problems. He pointed to Tesla, which has a HackerOne project, which allows owners and researchers to notify the company of apparent security breaches. "GM has a vulnerability exposure process" in which revealing holes in the company's security is encouraged, Smith said. He also suggested paying attention to the Open Garages Website, where car and IoT security researchers discuss vulnerabilities and fixes. Smith also said that the companies need to be more open, if only because it makes it easier to find problems and fix them.
"I'm seeing the automotive industry doing a lot more threat modeling," Smith said. Unfortunately, there's no good way for people who buy and drive connected cars to do much about the security since there aren't any antivirus or anti-malware packages out there for cars. On the other hand, some carmakers are paying attention, even to the extent of offering over-the-air updates.