Dispelling Cyber-Doomsaying in Connected Vehicles and Telematics

During the past few years there have been stories featured in the news regarding hacked connected vehicles and theft of telematics and private user data; from hacked Tesla vehicles running amok and potentially driving people off cliffs, to cyber-gangs bypassing security in close proximity and stealing high-tier vehicles, to stories of gigabytes of connected vehicle telematics data being intercepted, to the most recent attack of cyber-activists hacking electric vehicle charging stations in Russia to feature pro-Ukraine messages. While many of the stories are true (albeit with various levels of accuracy), the narrative makes them newsworthy but does not actually reflect the true nature of security threats in connected vehicles. Many security service providers still rely on fear-mongering tactics and FUD (Fear, Uncertainty, and Doubt) narratives in order to promote their message and convince their market prospects about the severity of the situation. On the other hand, many vehicle manufacturers and Tier One suppliers fail to understand the actual challenges and problems down the line when introducing insecure products to end-users and increasing their security posture a) in the aftermath of a major hack, or b) when forced to do so by regulation.

First things first: does the automotive industry need to fear-script kiddies hacking users’ connected vehicles and driving them off cliffs? The answer is a resounding no. Or least, definitely not at this point in time. In fact, it is very unlikely that related remote attack scenarios will be easy enough to conduct in a scalable fashion without extensive preparation from the point of the cyber-attackers.

However, as indicated by certain telematics security providers, vehicle theft is an issue with deeper roots. Most hacking attempts are likely to occur in close proximity to the vehicle by blocking or resetting security options, allowing attackers to gain entry to the vehicle systems. In many cases these are targeted attacks against high-profile targets/vehicles, meaning that attackers will first need to gain access to customer data (e.g., geolocation, behavior, movement, etc.) and vehicle data (manufacturer, model, system, OS, Telematics Control Unit (TCU), communication, carrier info, etc.) in order to successfully perform their task, with the Telematics Control Unit being a prime target.

This does not mean that security concerns for the majority of connected vehicles and TCUs are unfounded and irrelevant. A key factor in cybersecurity across all markets is the scalability threshold of attacks: the easier it is to automate a malicious script and launch an attack across a critical mass of users/devices/networks, the higher the likelihood that cyber-attackers will invest additional time, resources, and manpower into developing such tools. The rise of the software-defined vehicle opens brand new avenues for experimentation by attackers and a myriad of new threat vectors, zero-days, improperly authenticated services, and vulnerable applications. Additionally, unreliable telematics data is not only unusable to Original Equipment Manufacturers (OEMs), but also a drain on resources in more ways than one, from cellular subscription plans and fleet management optimization to customer data protection and insurance models. As such, telematics data security is not strictly related to protection against hacking attempts or remote command and control cyberattacks, but rather can provide a reliable foundation for all entities involved in the data and intelligence value chain.

The good news is that during the past few years, car OEMs have become increasingly active in exploring novel cybersecurity services for connected vehicles, initiating more advanced penetration testing and bug-hunting bounties, increasing their circle of partners to include digital identity and Public Key Infrastructure (PKI) providers, and moving to adopt new security regulations for telematics, external communications, in-vehicle networking, data governance, and cloud security. Although embedded hardware security at the level of the TCU and vehicle gateways is still lagging behind, the automotive industry is moving in the right direction. At a higher-tier level we see the further proliferation of security software including advanced firewalls, Virtual Private Networks (VPNs), Intruder Detection and Prevention Systems (IDPS), in-vehicle threat intelligence, and even Vehicle Security Operation Centers (VSOCs).

Optimizing services for secure data management in connected vehicle telematics is key in further honing intelligence operations and unlocking new IoT security monetization opportunities in Vehicle-to-Everything (V2X) applications, especially when considered in the grander view of IoT and smart cities. Telematics applications stand at the very core of car OEMs intelligence strategy, producing an ever-increasing amount of data and supporting key operations including, among others, fleet management, vehicle connectivity optimization, Firmware-Over-the-Air (FOTA), and predictive maintenance. While car OEMs partially adopt new security measures out of necessity due compliance and regulatory concerns, the fact of the matter is that they do need to adapt V2X applications to meet the demands of the greater IoT ecosystems and are steadily starting to recognize the value of having a security-first approach in connected vehicles.

That is definitely good news for security providers but even more importantly it is a smart move by the car OEMs and related partners in the supply chain, like automotive firmware developers, device manufacturers, telematics service providers (TSPs) and insurers who will benefit from having a secure foundation to build their services. This is particularly important considering that any way we slice it, connected vehicles are increasingly becoming the most sophisticated “Internet of Things endpoint”. Naturally, the transition towards a more security-focused approach does come with additional costs and operational disruption. However, as most post-cyberattack victim organizations would agree, it is definitely better than the alternative aftermath of loss of market share, reputation, and trust among business partners and end-customers.