In February 2010 a car dealership in Austin, Texas, was inundated by phone calls from over 100 irate customers. For some inexplicable reason, their cars wouldn’t start. To make matters worse, their car horns started to honk non-stop. At first, the dealership suspected a mechanical glitch, but eventually, police tracked down the real culprit: a disgruntled former employee. The young man had hacked into the dealer’s computers and remotely activated a vehicle-immobilization system, which disabled the ignition and triggered the horn in every affected vehicle.
Now, non-stop honking can be irritating, but shutting down an engine remotely can be downright dangerous. The potential threats posed by remote hacking will only grow as cars become more connected and more automated. Plenty of ink has already been spilled on this topic, but perhaps the most interesting question was posed by an article in The Guardian, titled, “Your Next Car Will Be Hacked, Are Autonomous Cars Worth it?”
In case you’re wondering, I firmly believe self-driving cars are worth it. They have the potential to reduce road deaths and boost mobility for millions. Nonetheless, the security threat is real and many of the concerns being raised about the nascent connected car industry must be addressed. So it should come as no surprise that on March 21 of this year the FBI issued a public service announcement on possible security threats to cars and trucks.
The announcement cites last year’s car hacking research and offers tips on how to keep your car secure. It also provides recommendations on what to do if you suspect your car has been hacked. For instance, it suggests that you:
- Ensure your vehicle software is up to date;
- Be careful when making modifications to vehicle software;
- Exercise discretion when connecting third-party devices to your vehicle;
- Be aware of who has physical access to your vehicle
Securing the Supply Chain
A friend of mine says that he makes his car secure by using an aftermarket device that monitors the car remotely. Of course, he also knows that a malicious hacker could use the very same device to introduce cybersecurity threats into his vehicle. The FBI advises caution when plugging potentially insecure gadgets into a car’s network. Their advice reminds me of certain security backdoor hacks in the networking arena, where remote hacking has become a way of life. One never knows if some of these vulnerabilities, such as the backdoor to this wireless router, are oversights in design or planted maliciously. In an industry like automotive, where components and subassemblies are sourced globally, injection of malware can happen anywhere in the world prior to assembly of the final product, creating a real need for secure manufacturing across the entire supply chain.
Holding your Car for Ransom
Some people in the security community claim that this is very far-fetched and argue that computer hacking has become ubiquitous only because criminals can make money from stealing and selling medical, personal, and financial data — they seem to think that such incentives don’t exist when it comes to cars. But, if the Guardian article is anything to go by, I’m not the only person who thinks this is a naïve point of view. After all, one of the fastest growing security threats is ransomware, where miscreants lock up your computer and demand money for re-activating it or for returning your stolen data.
As cybercrime crosses national boundaries with little risk for the perpetrator, is it really far-fetched to imagine someone temporarily taking over your car and then requesting a ransom payment? And what about the connected cars of the future, which will essentially be self-driving robots connected to networks through V2X (Vehicle-to-Vehicle and Vehicle-to-Infrastructure) and central gateway communication? What are the implications of car hacking and remote security breaches then?
The threat is real enough that in addition to the FBI warnings, Michigan senators Ken Horn and Mike Kowall have proposed a cybersecurity bill aimed at hackers and connected cars. Senate Bill 928 (pdf) spells out the types of crimes and corresponding sentences for car hacking, and Senate Bill 927 (pdf) makes car hacking a felony punishable by life in prison. One may say this is a bit draconian; however, it speaks to the gravity of the situation. It is encouraging to see lawmakers getting ahead of the curve and recognizing the seriousness of the problem.
Secure by Design and Life Cycle Management
Safety in a vehicle starts with securing the software that runs the car’s systems. The security must be robust, which can happen only if it is designed into the software right from the start. Managing the life cycle of security from birth to death is critical. A typical 2018 model year automobile will have over 100 ECUs in multiple domains, protected by multi-level hardware and software security technologies and best practices. The individual integrated circuits (ICs), subsystems, and modules used in the vehicle will need to need to be protected by secure manufacturing lines before the automobile is built. They will require provisioning during and after manufacturing and will have to utilize Over the Air (OTA) software upgrades as needed for the life of that vehicle. This is part of what is meant by end-to-end, lifecycle security. As an innovator in automotive software and security for over 15 years, BlackBerry and its subsidiaries QNX and Certicom understand these issues well.
QNX is the leading provider of unified whole-car operating systems that support all of the cabin-related and mission-critical functionalities needed to enable the connected, autonomous car of the future. When QNX wanted to add world-class system-level security and privacy to its offerings, it had to look no further than its mother company, BlackBerry. There is a reason why the name BlackBerry is synonymous with mobile security and privacy. At BlackBerry we believe these qualities are as elemental to an electronic system as DNA is to an organism— security and privacy are in our DNA.
Robust security and privacy cannot just be bolted on. It must be infused into a system from day one, and most importantly must be managed properly throughout the product life cycle. That is why BlackBerry security and privacy have been trusted by world leaders for over two decades and why BlackBerry is the mobility partner of all G7 governments, 16 of the G20 governments, 10 out of 10 of the largest global banks and law firms, and the 5 largest managed healthcare, investment services, and oil and gas companies. BlackBerry security has earned over 70 government certifications and approvals — more than any other mobile vendor. BlackBerry’s Lifecycle Security Services team is now leveraging this experience and the technologies and best practices behind it by offering such services to automotive OEMs to create the connected autonomous car, from concept to retirement.
A Matter of Trust
An iconic example of the depth of trust placed in BlackBerry security is the NSA’s licensing (and standardizing) of Certicom’s Elliptic Curve Cryptography (ECC) algorithms. These are quickly becoming the accepted crypto standard for enterprise, government, automotive, mobile, medical, industrial, and IoT security. Another example is Certicom’s ECC technology being adopted for automotive V2X message authentication (namely, ECDSA signing of compact ECQV certificates for speed). BlackBerry also provides world-class incidence monitoring and penetration testing security services. Putting it all together, BlackBerry and Certicom security and privacy technologies, combined with the BlackBerry’s secure OTA solution and QNX’s unified whole-car OS, give you a safe, secure, and reliable connected car platform — a true end-to-end system-level solution that will make the autonomous cars of the future not just secure, but BlackBerry secure.
Please be sure to join us at the 3rd annual BlackBerry Security Summit on July 19, in New York City, to learn how we are bringing security to the connected car. We will demonstrate how we have combined the innovative technologies from QNX, Certicom, BlackBerry Professional Cybersecurity Services, and BlackBerry IoT, to offer a comprehensive end-to-end security solution for the automotive industry.
Please visit http://www.qnx.com/news/events/securitySummit.html to register today.