In the Internet of Things (IoT) era, hackers are using more than just computers in their cyber assaults. Take for example, a recent incident that knocked out access to many popular U.S.-based websites, including Twitter, PayPal, Etsy, Reddit, and the New York Times. Hackers infected common IoT devices, such as DVRs and webcams, with a malware named Mirai that turned these devices into a powerful botnet army that jammed up traffic to a domain name system (DNS) server. Without the central site, which acts like a telephone directory for the Internet, these websites became unreachable.
This distributed denial of service (DDoS) attack highlights the lack of security in IoT devices today – for evidence see our demos of hacking a drug infusion pump and connected tea kettle. Until manufacturers of insecure IoT devices are made accountable, we’ll see more unwilling soldiers added to DDoS armies.
Botnets on Wheels
Those soldiers could soon include connected and self-driving cars. Unlike the IT industry, which has been dealing with network and security issues for decades, the automotive industry is relatively new to this. That’s a problem, as automotive security is arguably more critical than traditional computer security, since cars can become dangerous weapons both on the road and on the Internet.
Today’s high-end sedan runs software with over 100 million lines of code. It is estimated that for every 1,000 lines of well-written code, there is one security vulnerability. So you can imagine how many potential vulnerabilities can stay dormant for years until exploited by hackers armed with nothing more than OpenGarages’ Car Hacker’s Handbook. Even the new generation of high-tech cars, developed from the ground up with security in mind, are still subject to remote hacks, according to reports.
Fast Forward
Let’s fast forward to a few years from now. After a few high-profile security incidents, carmakers have upped their security game to the level of the tech industry. Fully autonomous vehicles are starting to appear, along with related infrastructure: command and control centers that take sensor data from cars to adjust traffic lights, dangerously icy bridges that notify cars to reroute or use extra caution, and cloud-based services that let cars collectively inform each other of dangers ahead (think Waze on steroids).
At that point, networked cars are as secure as mainstream IT infrastructure. But they still have a larger threat surface to deal with because of their mobility. If a car is enlisted into a hacker’s botnet, it can be used to jam the command and control center for a road or region, causing traffic jams and other chaos. Or a hacker bent on acts of terror or destruction could direct a car straight into the path of an 18-wheel truck carrying a dangerous load such as gasoline.
So How Should Carmakers Avoid DDoS Exploits?
It’s a critical time in the auto industry, which is why you see forward-looking firms like Ford inking major deals with us. For the last two months, my team at BlackBerry has also been doing software technology roadshows around the world, covering everything needed to make the autonomous car a reality. After hundreds of hours of meetings with car makers, a common theme is emerging: a lack of security standards. In reality, the standards are already here, in the form of algorithms, certificate signings, and secure supply chains. The real issue today is the auto industry’s lack of knowledge about best practices, how to apply security technologies in layers, and, most importantly, how to manage them on an ongoing basis.
Also, a security ecosystem vision has yet to emerge, and, even if it does, it will be different for each carmaker due to how they individually design and manufacture. Our Tier-1 customers that provide parts to carmakers (think Bosch, Delphi, etc.) see security as a competitive advantage and want to promote their own recipe. That actually conflicts with the preferences of automakers, who always want to have second or third sources for any technology, including security.
At BlackBerry QNX, we are not competing with other Tier 1 auto suppliers, and hence can provide solutions available throughout the supply chain. We have been supplying safety-certified embedded software to automakers for over 20 years, with over 60 million cars’ infotainment systems powered by our QNX platform. BlackBerry’s security and privacy have been trusted by world leaders for over two decades – read our credentials and certifications here. Combine that with BlackBerry’s over-the-air (OTA) managed services for timely security patches and functional software updates, our automotive security services consultants, and QNX’s industry know-how, and you understand why BlackBerry is the car industry’s emerging leader in automotive security.
For more on securing autonomous cars, watch our on-demand webinar on Three Aspects of Security for the Software-Defined Car.