Carmakers warned to focus on security of connected vehicles

As anyone who visits cybersecurity shows knows, vehicle hacking has become the presentation topic guaranteed to pack them in.

True to form, this year’s DEF CON Car Hacking Village stream featured Tencent Keen researchers successfully hacking Tesla’s Model X for the second year running.

Following up 2016’s demonstration of an attack in which the team disabled the car’s brakes via Wi-Fi, this year they remotely turned on the lights while opening and closing the doors, producing a slick video showing off their handiwork.

Reminding the world that this isn’t a harmless light show, they made the vehicle’s brakes engage while driving for good measure.

Tesla reportedly fixed the flaws in the vehicle’s Controller Area Network (CAN bus) and Electronic Control Unit (ECU) attack within two weeks using an over-the-air (OTA) update, swift by security standards. It also pointed out that the attack was not easy to pull off.

But the mere fact that today’s cars now have this sort of vulnerability is a reminder of the accelerating digital complexity of a form of transport people still see as seats with an engine attached.

Aware that cybersecurity show techniques have a history of turning up in the real world, and with autonomous vehicles that depend on complex software control not that far off, governments and industry are starting to react.

This week the UK Department of Transport published a guidance document designed to set out first principles to carmakers, going beyond the industry’s tentative cyberthreat initiative, Auto-ISAC, which convened in 2015.

Inspired by a detailed policy document from the US National Highway Traffic Safety Administration (NHTSA) a year ago, as well as the proposed Autonomous and Electric Vehicle Bill set out in June, this sets out a set of first principles that range from the sensible to the stringent.

Foremost is a warning that carmakers must set up aftercare to cope with flaws and cybersecurity incidents as well as plan for the entire lifetime of a vehicle, not simply the profitable bit after it has been sold.

Manufacturers must further impose standards on their supply chains and make sure personal data gathered is managed according to laws that will include revised data protection.

All very worthy, but the biggest warning is simply whose job it is to make sure all this happens:

Personal accountability is held at the board level for product and system security (physical, personnel and cyber) and delegated appropriately and clearly throughout the organisation.

Message: blaming engineers further down the hierarchy won’t be good enough in future should the hackers come calling.

On a visit to Bristol to promote the guidelines, transport minister Lord Callanan likened autonomous vehicles to PCs, urging owners to “treat them as you would your computer”.

Owners should be careful about downloading apps to in-car systems, and make sure software is updated, he said. In fact, the flawed PC model in which consumers make decisions about what to trust and not trust is, thankfully, looking extremely unlikely.

As vehicles become more autonomous they will also, paradoxically, become heavily dependent on remote management and monitoring. We can only hope carmakers are doing their deep thinking about this now.