Update 12/06/2022: This article has been updated after discovery of a recent security vulnerability that enables remote attacks through a connected vehicle service.
Software-Defined Vehicles: The Convergence of IT and IoT Behind the Wheel
The effects that the digital world can now have on the physical world via cyber-physical systems are more prominent than ever. Organizations need to take note, as this may provide cyber threat actors additional ways to affect a person's physical safety. The rapid development of cyber-physical systems is largely due to two things: the growth and evolution of the internet of things (IoT), and a move toward more software-centric and intrinsically internet- and cloud-reliant technologies.
The internet has fast become an integral component to the operation of our devices, as connectivity enables new features that were previously not possible. Bringing internet connectivity to 'things' resulted in IoT, and in my 2022 BlackBerry Security Summit presentation, Two Worlds Collide: The Convergence of IT and IoT, I talk about how internet connectivity and other advances from the world of IT are affecting 'things.' You can watch my presentation under the keynote section here – registration required.
IoT describes the billions of physical devices that connect to each other and exchange data via the internet. These devices could be as mundane as the smart watch on our wrist, as complex as the vehicles we drive, or as critical as the medical devices that help keep us alive.
While software-centric IoT promotes innovation and brings new functionality more quickly, it also presents an enormous expansion of the attack surface. The implications of this become a greater concern as the impact of IoT devices on our physical environment increases. Attacks on IT have evolved and become more advanced over the past 30 years or so. Now "mature" threat actors take advantage of IoT vendors who may be grappling with many of these IT world cybersecurity challenges for the first time.
The IT and IoT Convergence in the Automotive Industry
Let's consider the problem of IoT cybersecurity in the context of the automobile.
First, in IT the ability to detect intrusions and block attackers before they can reach their target is critical. With organizations focusing on the development of software-centric devices, the same is true in IoT. In fact, the fundamental technologies to secure IoT already exist and are not much different to what’s seen in IT. However, many of these technologies are not yet sufficiently adapted or adopted for IoT use cases.
The vehicle is one of the most powerful, iconic, and challenging IoT devices that now use cyber-physical systems. When you think about it, a vehicle – especially a software-defined vehicle (SDV) – is a collection of hundreds of connected computers.
In SDVs, software controls and directs what happens and when. And just like with a typical IT endpoint, various types of data are transmitted to enterprise servers, and vice versa with over-the-air (OTA) updates, as well as between other devices. It’s these interconnections, and the increased volume of software – including open source – that presents a massive attack surface of potential vulnerability.
Why is securing SDVs important? The answer is that in next-gen vehicles, cybersecurity will be a significant component of vehicle safety. In the U.S, 6% of fatal crashes and 8% of injury-inflicting crashes in 2019 occurred due to distracted driving. Consider what might happen if a threat actor compromised the infotainment system in a vehicle in such a way that it distracts the driver? What might something as simple as an unexpected loud noise from the car speakers do?
This is more than conjecture. Cybersecurity researchers recently discovered a vulnerability in a connected vehicle (CV) service provided by SiriusXM that affects millions of cars. Researchers say they could exploit this vulnerability to unlock, start, locate, and honk horns of cars from various brands, in an unauthorized manner — just by knowing the car’s vehicle identification number (VIN). As vehicles become more connected and software centric, threat actors may not need to compromise safety critical systems to potentially compromise safety.
However, the good news is that cybersecurity practices and solutions for enterprise security are also largely applicable for IoT. The diagram below illustrates how a combination of BlackBerry® cybersecurity solutions could secure the SDV supply chain and operational systems, as well as those of other IoT devices.
IT and IoT are becoming tightly interwoven through software centricity — and that’s something we need to prepare for right now. More than ever, it is critical that we “bake cybersecurity in” at each stage of design and development, rather than try to bolt it on later. It’s not just about protecting against data theft or extortion anymore. As we move forward and technology advances, organizations need to consider the potential dangers that threat actors may pose to the physical wellbeing of people.
For more on this topic, watch my recent talk, Two Worlds Collide: The Convergence of IT and IoT, from the 2022 BlackBerry Security Summit.
Related Reading
